Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532885
MD5:	9dd5cc11594c9994399c934c991f562c
SHA1:	3169e798bab129fb8b69a8c9038571952be13a87
SHA256:	02bdb3eff2f9ed97d753d82c231866ba6dd6a1134a4a1d9e9fe5058eaffdff7d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9DD5CC11594C9994399C934C991F562C)

taskkill.exe (PID: 6592 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1508 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2120 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5448 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7040 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6452 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6680 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2756 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5432 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d30234f-83dc-4616-963d-c840c8c3c565} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd4126ff10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7644 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 2860 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aae5212-1d50-4102-9b86-67ab97c1cbe9} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd533ba410 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8180 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 2628 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48db7f1c-968e-4dc6-9876-b2cfd4458117} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd5aacfd10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1829716761.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6420	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0068EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0068EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0068ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0068ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0068EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0067AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bbd48b34-0
Source: file.exe, 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d93ebcef-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_666cf205-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6c7be379-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E48E77 NtQuerySystemInformation,		16_2_00000256D8E48E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E63172 NtQuerySystemInformation,		16_2_00000256D8E63172

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0067D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00671201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00671201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0067E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061BF40	0_2_0061BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00618060	0_2_00618060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00682046	0_2_00682046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00678298	0_2_00678298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064E4FF	0_2_0064E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064676B	0_2_0064676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A4873	0_2_006A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061CAF0	0_2_0061CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063CAA0	0_2_0063CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062CC39	0_2_0062CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062B119	0_2_0062B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006191C0	0_2_006191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631394	0_2_00631394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631706	0_2_00631706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063781B	0_2_0063781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062997D	0_2_0062997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00617920	0_2_00617920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006319B0	0_2_006319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00637A4A	0_2_00637A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631C77	0_2_00631C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00637CA7	0_2_00637CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069BE44	0_2_0069BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00649EEE	0_2_00649EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631F32	0_2_00631F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E48E77	16_2_00000256D8E48E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E63172	16_2_00000256D8E63172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E6389C	16_2_00000256D8E6389C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000256D8E631B2	16_2_00000256D8E631B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00630A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0062F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00619CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@74/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006837B5 GetLastError,FormatMessageW,

0_2_006837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006710BF AdjustTokenPrivileges,CloseHandle,		0_2_006710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0067D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0068648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0068648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909523303.000001FD5D446000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1909523303.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d30234f-83dc-4616-963d-c840c8c3c565} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd4126ff10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 2860 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aae5212-1d50-4102-9b86-67ab97c1cbe9} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd533ba410 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 2628 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48db7f1c-968e-4dc6-9876-b2cfd4458117} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd5aacfd10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d30234f-83dc-4616-963d-c840c8c3c565} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd4126ff10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 2860 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aae5212-1d50-4102-9b86-67ab97c1cbe9} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd533ba410 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 2628 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48db7f1c-968e-4dc6-9876-b2cfd4458117} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd5aacfd10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1983313561.000001FD50D2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1981773468.000001FD50D2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1983313561.000001FD50D2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1982587796.000001FD50D24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1981773468.000001FD50D2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1979425932.000001FD50D24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1982587796.000001FD50D24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1979425932.000001FD50D24000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00630A76 push ecx; ret	0_2_00630A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00647138 push esp; retf	0_2_00647140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00647736 push esp; retf	0_2_00647737

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0062F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94684

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000256D8E48E77 rdtsc

16_2_00000256D8E48E77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0067DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006868EE FindFirstFileW,FindClose,	0_2_006868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0068698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0067D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0067D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00689642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00689642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00689B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00689B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00685C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00685C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006142DE

Source: firefox.exe, 00000010.00000002.3639208533.00000256D89B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 0000000F.00000002.3640983741.00000166BC908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-8
Source: firefox.exe, 0000000F.00000002.3635336194.00000166BC47A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3639208533.00000256D89B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3634352751.000001141F7BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3639786707.000001141FB70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3640180955.00000166BC813000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3633916612.00000256D815A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`M
Source: firefox.exe, 0000000F.00000002.3635336194.00000166BC47A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 0000000F.00000002.3640983741.00000166BC908000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3639208533.00000256D89B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000F.00000002.3640983741.00000166BC908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~8$>

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000256D8E48E77 rdtsc

16_2_00000256D8E48E77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0068EAA2 BlockInput,

0_2_0068EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00642622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00642622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00634CE8 mov eax, dword ptr fs:[00000030h]

0_2_00634CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00670B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00670B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00642622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00642622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0063083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006309D5 SetUnhandledExceptionFilter,	0_2_006309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00630C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00630C21

Source: C:\Users\user\Desktop\file.exe

0_2_00671201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00652BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00652BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067B226 SendInput,keybd_event,

0_2_0067B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00670B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00671663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00671663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00630698 cpuid

0_2_00630698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00688195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00688195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0066D27A GetUserNameW,

0_2_0066D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0064BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1829716761.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6420, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1829716761.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6420, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00691204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00691806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	38%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://content-signature-2.cdn.mozilla.net/	0%	Virustotal		Browse
https://www.instagram.com/	0%	Virustotal		Browse
https://www.amazon.com/	0%	Virustotal		Browse
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	0%	Virustotal		Browse
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/to-google-translate/	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://youtube.com/account?=	0%	Virustotal		Browse
https://www.iqiyi.com/	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	0%	Virustotal		Browse
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	Virustotal		Browse
https://addons.mozilla.org/	0%	Virustotal		Browse
http://mozilla.org/MPL/2.0/.	0%	Virustotal		Browse
https://mail.yahoo.co.jp/compose/?To=%s	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	0%	Virustotal		Browse
http://youtube.com/	0%	Virustotal		Browse
https://www.amazon.co.uk/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.65	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.23	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.78	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.186.174	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.193.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtube.comW	firefox.exe, 0000000D.00000003.1865367390.000001FD51EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945323495.000001FD51EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871229912.000001FD51EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873165091.000001FD51EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930006380.000001FD51EE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000D.00000003.1908197587.000001FD5DD16000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.2006926770.000001FD54A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000080706.000001FD54A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908763390.000001FD5D5E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FAC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.2019624264.000001FD523D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1995221914.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874085092.000001FD51E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875041822.000001FD51E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000610682.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015185974.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3636380168.00000166BC6CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3640143295.000001141FD06000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1970620001.000001FD59040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942109482.000001FD5903B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3635410526.000001141FA8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/searchf458e78b-9128-4027-b344-538f5661c148fa42b23a-30c5-46f3-8997-4a	firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991699816.000001FD59510000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1844802352.000001FD59190000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2023015141.000001FD52FD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011283192.000001FD59447000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1918144759.000001FD53017000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1917853727.000001FD53082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1811032441.000001FD4F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811276577.000001FD4F37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810727644.000001FD4F33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810464415.000001FD4F320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810291856.000001FD50E00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.2022135845.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2009125778.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015597103.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017970167.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.2002658978.000001FD5AFBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1913939494.000001FD545D9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1998832903.000001FD58F55000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1997560443.000001FD59145000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811032441.000001FD4F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911404332.000001FD5913E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811276577.000001FD4F37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810727644.000001FD4F33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011579697.000001FD59147000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948705625.000001FD52CF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810464415.000001FD4F320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810291856.000001FD50E00000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1913939494.000001FD54559000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1811032441.000001FD4F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811276577.000001FD4F37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810727644.000001FD4F33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810464415.000001FD4F320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810291856.000001FD50E00000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1994291153.000001FD58E9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917021943.000001FD534F1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1996429267.000001FD594E9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3636380168.00000166BC6CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3640143295.000001141FD06000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.2008377945.000001FD53244000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1854213152.000001FD52D2B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1991132805.000001FD5AA34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844621105.000001FD594E9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1918144759.000001FD53017000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1998832903.000001FD58F6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2005068241.000001FD58F6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3636380168.00000166BC6CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3640143295.000001141FD06000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1874208470.000001FD52484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871882759.000001FD52484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873044744.000001FD52490000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1996531593.000001FD594D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1991699816.000001FD59510000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1995221914.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000610682.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015185974.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.2006926770.000001FD54A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908197587.000001FD5DD16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000080706.000001FD54A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908763390.000001FD5D5E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FAC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1871882759.000001FD5246C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1924122221.000001FD51A52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945539745.000001FD51A5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1990280583.000001FD5AAD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.2022135845.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2009125778.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015597103.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017970167.000001FD52A73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1917769250.000001FD530E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.2005068241.000001FD58F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2005068241.000001FD58F66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1908972487.000001FD5D5A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D8412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FA13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1991699816.000001FD59510000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	0%, Virustotal, Browse	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1917853727.000001FD53082000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1913939494.000001FD545D9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1936094089.000001FD51A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1986559982.000001FD52C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924122221.000001FD51A52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937652743.000001FD512BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917369940.000001FD5346A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926284481.000001FD51A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973535734.000001FD52D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917496810.000001FD533D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868068141.000001FD54859000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945539745.000001FD51A5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912684800.000001FD58FB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979708419.000001FD5128B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917021943.000001FD534F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987126932.000001FD52CA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867265708.000001FD52452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981716046.000001FD4F33D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916268198.000001FD539A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2025779167.000001FD539A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972647278.000002000003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014324782.000001FD54415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015185974.000001FD532FA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1913939494.000001FD54559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1911404332.000001FD591B3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1915985067.000001FD539F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995019694.000001FD539F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913939494.000001FD54559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1911404332.000001FD59125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998022835.000001FD59125000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1913939494.000001FD5453E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912837946.000001FD58F94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1913939494.000001FD5453E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912837946.000001FD58F94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1970620001.000001FD59040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942109482.000001FD5903B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911043963.000001FD595AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1993251095.000001FD595AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844163933.000001FD595A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991285245.000001FD595AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1998832903.000001FD58F51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1982855596.000001FD4E834000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812828997.000001FD4E833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960701384.000001FD4E833000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.2027016415.000001FD52ADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017907608.000001FD52ADB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2008694783.000001FD52AD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.2012024525.000001FD58E9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913214271.000001FD58E9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2005809741.000001FD58E9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994291153.000001FD58E9C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1874899964.000001FD5248C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874208470.000001FD52484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871882759.000001FD52484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873044744.000001FD52490000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1982855596.000001FD4E834000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812828997.000001FD4E833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960701384.000001FD4E833000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1995221914.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000610682.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015185974.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3636380168.00000166BC6CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3635611653.00000256D84E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3640143295.000001141FD06000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.2004113491.000001FD5919E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3639556668.00000166BC740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3638898838.00000256D8960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3639900343.000001141FC70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991699816.000001FD59510000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.23	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532885
Start date and time:	2024-10-14 04:54:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@74/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.26.161.5, 52.25.49.43, 35.83.8.120, 2.22.61.59, 2.22.61.56, 142.250.186.110, 172.217.16.206, 142.250.184.202, 142.250.185.170
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
52.222.236.23	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	52.222.236.23
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
AMAZON-02US	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	52.210.33.116
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	Unknown	Browse	52.210.33.116
	https://payrollruntimesheet.weebly.com/verify.html	Get hash	malicious	HTMLPhisher	Browse	50.112.173.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b0bd22ac-4b5a-46d3-bae1-657a8d7542cc.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182593097269555
Encrypted:	false
SSDEEP:	192:OjMigzgPg4cbhbVbTbfbRbObtbyEl7nYrtJA6WnSrDtTUd/SkDrQ:OYt0Y4cNhnzFSJ4roBnSrDhUd/m
MD5:	59054456DD2DD6B011F7C4D188489620
SHA1:	4892EBD341EFE4AA7C160BF37A475DE1733A5B1D
SHA-256:	E1EFB2FF314F75949A011C65567104204FFBFDAF7CE2CB3D29434206F5A52762
SHA-512:	B5C6FB18393826374DB57B76909377EADCCE5B0397767127698DEE5EAE29A5C35CAE987D00DFE87C4393A71FBF619BBD3A9BD0453E8979AE32CA8AF2BD928A2E
Malicious:	false
Preview:	{"type":"uninstall","id":"b0bd22ac-4b5a-46d3-bae1-657a8d7542cc","creationDate":"2024-10-14T04:47:08.120Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b0bd22ac-4b5a-46d3-bae1-657a8d7542cc.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182593097269555
Encrypted:	false
SSDEEP:	192:OjMigzgPg4cbhbVbTbfbRbObtbyEl7nYrtJA6WnSrDtTUd/SkDrQ:OYt0Y4cNhnzFSJ4roBnSrDhUd/m
MD5:	59054456DD2DD6B011F7C4D188489620
SHA1:	4892EBD341EFE4AA7C160BF37A475DE1733A5B1D
SHA-256:	E1EFB2FF314F75949A011C65567104204FFBFDAF7CE2CB3D29434206F5A52762
SHA-512:	B5C6FB18393826374DB57B76909377EADCCE5B0397767127698DEE5EAE29A5C35CAE987D00DFE87C4393A71FBF619BBD3A9BD0453E8979AE32CA8AF2BD928A2E
Malicious:	false
Preview:	{"type":"uninstall","id":"b0bd22ac-4b5a-46d3-bae1-657a8d7542cc","creationDate":"2024-10-14T04:47:08.120Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313447189943199
Encrypted:	false
SSDEEP:	48:fd3cVqUgdw8zBd3cVa6Bdws/d3cVaadwu1:xc+cIUco4
MD5:	24E22E6D5FDE20F12A8BA1B68C5FF749
SHA1:	A17D1C334BCCCC3B68B0052F819193421C8C2D1C
SHA-256:	BEDB81156101A1A0E8E77A691D5DEC1B54CB0AEED7AEC015E9098F4859636AD4
SHA-512:	E6FFEF39B8AF696E40A34C2B9C2B231E4043047CC6C1D042928F1033235642E4A40F062795EBD6D5865D24C1FBF3CD4AB54A951F23E05EA89040AECF53E0DE07
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......w.0.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.INY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WNY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WNY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313447189943199
Encrypted:	false
SSDEEP:	48:fd3cVqUgdw8zBd3cVa6Bdws/d3cVaadwu1:xc+cIUco4
MD5:	24E22E6D5FDE20F12A8BA1B68C5FF749
SHA1:	A17D1C334BCCCC3B68B0052F819193421C8C2D1C
SHA-256:	BEDB81156101A1A0E8E77A691D5DEC1B54CB0AEED7AEC015E9098F4859636AD4
SHA-512:	E6FFEF39B8AF696E40A34C2B9C2B231E4043047CC6C1D042928F1033235642E4A40F062795EBD6D5865D24C1FBF3CD4AB54A951F23E05EA89040AECF53E0DE07
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......w.0.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.INY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WNY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WNY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LZ2YW1XSG67FDESNELJ2.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313447189943199
Encrypted:	false
SSDEEP:	48:fd3cVqUgdw8zBd3cVa6Bdws/d3cVaadwu1:xc+cIUco4
MD5:	24E22E6D5FDE20F12A8BA1B68C5FF749
SHA1:	A17D1C334BCCCC3B68B0052F819193421C8C2D1C
SHA-256:	BEDB81156101A1A0E8E77A691D5DEC1B54CB0AEED7AEC015E9098F4859636AD4
SHA-512:	E6FFEF39B8AF696E40A34C2B9C2B231E4043047CC6C1D042928F1033235642E4A40F062795EBD6D5865D24C1FBF3CD4AB54A951F23E05EA89040AECF53E0DE07
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......w.0.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.INY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WNY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WNY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MIIY1IP2EH99CYG5A62Z.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313447189943199
Encrypted:	false
SSDEEP:	48:fd3cVqUgdw8zBd3cVa6Bdws/d3cVaadwu1:xc+cIUco4
MD5:	24E22E6D5FDE20F12A8BA1B68C5FF749
SHA1:	A17D1C334BCCCC3B68B0052F819193421C8C2D1C
SHA-256:	BEDB81156101A1A0E8E77A691D5DEC1B54CB0AEED7AEC015E9098F4859636AD4
SHA-512:	E6FFEF39B8AF696E40A34C2B9C2B231E4043047CC6C1D042928F1033235642E4A40F062795EBD6D5865D24C1FBF3CD4AB54A951F23E05EA89040AECF53E0DE07
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......w.0.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.INY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WNY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WNY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9274583231728695
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN49N:8S+OfJQPUFpOdwNIOdYVjvYcXaNL3O8P
MD5:	60351F92BC2EE0983F9400130A451403
SHA1:	9166986F51B8C77AB555726A69D7384C9A7E37C7
SHA-256:	474D4930FBD28AC316F5990C5E62C08BAE958FE7B8402A7B349B3AC895624127
SHA-512:	B63FBA39F43164C2C4C4BE20EE1C464DCF39E7B270DA43691880448C8DA91D5C29870F460049EC07D2BA8708B3028430D9EB1AD5BFEC54FD727EF37115CFFAA4
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9274583231728695
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN49N:8S+OfJQPUFpOdwNIOdYVjvYcXaNL3O8P
MD5:	60351F92BC2EE0983F9400130A451403
SHA1:	9166986F51B8C77AB555726A69D7384C9A7E37C7
SHA-256:	474D4930FBD28AC316F5990C5E62C08BAE958FE7B8402A7B349B3AC895624127
SHA-512:	B63FBA39F43164C2C4C4BE20EE1C464DCF39E7B270DA43691880448C8DA91D5C29870F460049EC07D2BA8708B3028430D9EB1AD5BFEC54FD727EF37115CFFAA4
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333408260959026
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihS:DLhesh7Owd4+ji
MD5:	6D9C344AB0D86E946E9DF0338015EF66
SHA1:	6BFFC6E59E76E2A1A8B3B3D32AE930F6724C3C96
SHA-256:	DB4633B0F7177B6C2D8E81DBADA5F7D074E54A94290D50D478E6946E7D6D8477
SHA-512:	09EC9E7B7683548BAED72A3B405F5F075658BEBFE9D66771652013728F2AE642F5B13B0E88E4479C1CAF3A260C02E7F3DDB00BA5C55E2ED16AFD8D8ECAA41D14
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhVQph6lhVQp5t/ol8a9//Ylll4llqlyllel4lt:G7VQph+VQp5tQL9XIwlio
MD5:	5FECC441C2D4192DE153D2B9D22E6BA8
SHA1:	C9958EB912488A419C3B0F4797C3946F11B73564
SHA-256:	205017C3F5584A7156025DEAEB28AFE748CB1503E5AD8855DB3C7D6301CE894E
SHA-512:	3F95654A47BEE5CBD0EEB9070BD5C28E37547000A0B7DC0CE271C26C9B2A7E58DE6936A4B43937EF4675FDE9DB6A05FF64EBE6A7F13328D458DD4C7019C295D3
Malicious:	false
Preview:	..-......................J..%-....B.......ey..ms..-......................J..%-....B.......ey..ms........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11813124137013768
Encrypted:	false
SSDEEP:	24:KbfkDqLxsZ+wjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxFewleXqVZ2i7+:4MqQvJtUnWdU+RVxFfYXAZk
MD5:	5981FA1050BB549EB61048138CD1612E
SHA1:	2EE09FA55A4996532A52257B142051472CB41D5D
SHA-256:	F0F14709586C5D825D42EF3E0F9BF2D872FAE3D54AB13CF900C1E75E82DD7686
SHA-512:	5E2A155DDE8272C0A47CBDC5E9FE3B94D90F94790E93FEAC76BD3BA8B629C41F1C70475C0E329607BE6201A6890CE54B95F9F1C8589007D985804DD2C4D843CD
Malicious:	false
Preview:	7....-............B.....x...[.$..........B......jHO....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492871997859704
Encrypted:	false
SSDEEP:	192:7naRtLYbBp6Qhj4qyaaX06KeuNPB5RfGNBw8deSl:+e2qsNa9cwN0
MD5:	5CBAA4F6362526C9C06A373087AE9ADE
SHA1:	AD277C8A74F4764CD914BA9B4A6E46FE1455B932
SHA-256:	BB899570D6B3506B1F36BD589FA619A4AFF2734A7FB0513640DBF231D5356742
SHA-512:	E9658BE1CC808B34CCE8A5D40506696CBDAE178EF96C223C5F9A719417420D407160AAC71FC5721D88735C90B484C7FE43EDB25DD8943AB42EFA8F01894083E8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728881198);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728881198);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728881198);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172888

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492871997859704
Encrypted:	false
SSDEEP:	192:7naRtLYbBp6Qhj4qyaaX06KeuNPB5RfGNBw8deSl:+e2qsNa9cwN0
MD5:	5CBAA4F6362526C9C06A373087AE9ADE
SHA1:	AD277C8A74F4764CD914BA9B4A6E46FE1455B932
SHA-256:	BB899570D6B3506B1F36BD589FA619A4AFF2734A7FB0513640DBF231D5356742
SHA-512:	E9658BE1CC808B34CCE8A5D40506696CBDAE178EF96C223C5F9A719417420D407160AAC71FC5721D88735C90B484C7FE43EDB25DD8943AB42EFA8F01894083E8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728881198);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728881198);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728881198);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172888

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\d3868cce-c653-4977-a030-57a2f263a244 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.963870226996479
Encrypted:	false
SSDEEP:	12:YZFgNrTUV3oXZ/RIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YOSCRSlCOlZGV1AQIWZcy6Z2d
MD5:	9027E1636F0A61D04B345ACD63DD0F71
SHA1:	997A2CAF03BB06094B647A18BDF1EAADA1A60F67
SHA-256:	7AA7963D14C4F240DBDD5EFE3A73F556732D7C3335065C476DAD3B0BE05B76EB
SHA-512:	2822C87A9B8F2BB9C040071834C3AC162C4715752D40D9448487426FEB54669AA3C6D50C973E121DDBE21E1B8018151F97F66277FC4F2F1A06B7FF94B8CED691
Malicious:	false
Preview:	{"type":"health","id":"d3868cce-c653-4977-a030-57a2f263a244","creationDate":"2024-10-14T04:47:08.593Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\d3868cce-c653-4977-a030-57a2f263a244.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.963870226996479
Encrypted:	false
SSDEEP:	12:YZFgNrTUV3oXZ/RIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YOSCRSlCOlZGV1AQIWZcy6Z2d
MD5:	9027E1636F0A61D04B345ACD63DD0F71
SHA1:	997A2CAF03BB06094B647A18BDF1EAADA1A60F67
SHA-256:	7AA7963D14C4F240DBDD5EFE3A73F556732D7C3335065C476DAD3B0BE05B76EB
SHA-512:	2822C87A9B8F2BB9C040071834C3AC162C4715752D40D9448487426FEB54669AA3C6D50C973E121DDBE21E1B8018151F97F66277FC4F2F1A06B7FF94B8CED691
Malicious:	false
Preview:	{"type":"health","id":"d3868cce-c653-4977-a030-57a2f263a244","creationDate":"2024-10-14T04:47:08.593Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.331630721214551
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqSmHLXnIgbD/pnxQwRlszT5sKt003eHVQj6THamhujJlOsIomNVrw:GUpOx9jhnR6f3eHTH4JlIquR4
MD5:	C36E22526DF11CA9A02122D0CEA0751F
SHA1:	418F0A791043C94F21381EA8F063CF6017954931
SHA-256:	B15B7C91E554B96C56AC0BA5ED530956C7A5B0EAF28CEF6DED7329ED2F8E3FFB
SHA-512:	571B88E10564A8F58B4938D174746FF9216F526922DD8C0AAC05EED34B3C3F22050F477BC27C51ACBB7B46CEAF8800E414BD8CC5AEEE4A9276AB883BE563D82A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{21f4e498-d42e-4876-9e2f-57fca34f8e87}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728881204036,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`168075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....173768,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.331630721214551
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqSmHLXnIgbD/pnxQwRlszT5sKt003eHVQj6THamhujJlOsIomNVrw:GUpOx9jhnR6f3eHTH4JlIquR4
MD5:	C36E22526DF11CA9A02122D0CEA0751F
SHA1:	418F0A791043C94F21381EA8F063CF6017954931
SHA-256:	B15B7C91E554B96C56AC0BA5ED530956C7A5B0EAF28CEF6DED7329ED2F8E3FFB
SHA-512:	571B88E10564A8F58B4938D174746FF9216F526922DD8C0AAC05EED34B3C3F22050F477BC27C51ACBB7B46CEAF8800E414BD8CC5AEEE4A9276AB883BE563D82A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{21f4e498-d42e-4876-9e2f-57fca34f8e87}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728881204036,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`168075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....173768,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.331630721214551
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqSmHLXnIgbD/pnxQwRlszT5sKt003eHVQj6THamhujJlOsIomNVrw:GUpOx9jhnR6f3eHTH4JlIquR4
MD5:	C36E22526DF11CA9A02122D0CEA0751F
SHA1:	418F0A791043C94F21381EA8F063CF6017954931
SHA-256:	B15B7C91E554B96C56AC0BA5ED530956C7A5B0EAF28CEF6DED7329ED2F8E3FFB
SHA-512:	571B88E10564A8F58B4938D174746FF9216F526922DD8C0AAC05EED34B3C3F22050F477BC27C51ACBB7B46CEAF8800E414BD8CC5AEEE4A9276AB883BE563D82A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{21f4e498-d42e-4876-9e2f-57fca34f8e87}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728881204036,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`168075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....173768,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034717442697152
Encrypted:	false
SSDEEP:	48:YrSAYy6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	840CD144B0C10BAF1C0FCA9C8FA0E210
SHA1:	C108F892376A8F83C7474B4A8E2217406EF33DB2
SHA-256:	A5A4E6A81690A4BF675AE415EB8E6A5297D796FF087074F11CB3FB4C8EE9DD0A
SHA-512:	4C8C0A16DB71B89E2669A639DF80D301641A17BED682BC16F72D514ACCC9FB29056F814428513C8285C922C40AAE071E8CF4C79E22A56F01B2969EB5591E6E54
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T04:46:24.807Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034717442697152
Encrypted:	false
SSDEEP:	48:YrSAYy6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	840CD144B0C10BAF1C0FCA9C8FA0E210
SHA1:	C108F892376A8F83C7474B4A8E2217406EF33DB2
SHA-256:	A5A4E6A81690A4BF675AE415EB8E6A5297D796FF087074F11CB3FB4C8EE9DD0A
SHA-512:	4C8C0A16DB71B89E2669A639DF80D301641A17BED682BC16F72D514ACCC9FB29056F814428513C8285C922C40AAE071E8CF4C79E22A56F01B2969EB5591E6E54
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T04:46:24.807Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584696035628604
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	9dd5cc11594c9994399c934c991f562c
SHA1:	3169e798bab129fb8b69a8c9038571952be13a87
SHA256:	02bdb3eff2f9ed97d753d82c231866ba6dd6a1134a4a1d9e9fe5058eaffdff7d
SHA512:	fd4687baee292dd0938087845e92256549492e9882441039ac7b99423c32f6f2c88dac9266fc3108152a76455fa9078ee9d975654707f0c78bfa6f49f2c3a5e5
SSDEEP:	24576:3CqDEvCTbMWu7rQYlBQcBiT6rprG8abO:STvC/MTQYxsWR7ab
TLSH:	0F159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C82B4 [Mon Oct 14 02:32:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F025CF04943h
jmp 00007F025CF0424Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F025CF0442Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F025CF043FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F025CF06FEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F025CF07038h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F025CF07021h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	f19594e363404d16444b5e9d473a5765	False	0.31571400316455694	data	5.374134897826431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 04:55:27.568542004 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:27.568567991 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:27.570668936 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:27.574881077 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:27.574898005 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:28.064574957 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:28.069550037 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:28.077249050 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:28.077260017 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:28.077292919 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:28.077822924 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:28.085016012 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:29.731265068 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.731340885 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:29.731570005 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.732975960 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.733023882 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:29.869126081 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.869167089 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:29.870394945 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:29.871936083 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.874011993 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:29.874028921 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:29.875370979 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:29.879559994 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:29.881917000 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:29.886769056 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.125268936 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.125312090 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:30.127515078 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.127723932 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.127743959 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:30.131411076 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.131448030 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.131943941 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.133172035 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.133188009 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.155148029 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.155189991 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.155635118 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.157128096 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.157147884 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.334639072 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.381112099 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.462620974 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.467628002 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.470555067 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.470702887 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.477446079 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.497524977 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.498518944 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.498583078 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.498604059 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.508138895 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.508160114 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.508248091 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.508455992 CEST	443	49738	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.509160042 CEST	49738	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.525713921 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:30.525737047 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:30.525927067 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:30.526093006 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:30.526108027 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:30.542634010 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.544085979 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.550545931 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.550565004 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.556106091 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.556124926 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.556260109 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.556334972 CEST	443	49739	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.556528091 CEST	49739	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.556735992 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.556760073 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.556816101 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.558687925 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:30.558706045 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:30.622199059 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.622277975 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.627485037 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.627496004 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.627635956 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.627759933 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.628101110 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.628115892 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.630054951 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.630093098 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.630911112 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:30.632055044 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.632070065 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.634676933 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.638098001 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.638103962 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:30.638477087 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:30.640691042 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.640788078 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.640841961 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:30.650655985 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.653191090 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.657560110 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.657567024 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.657696009 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.657830000 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.658257961 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.658344030 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.662285089 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.662334919 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.664352894 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:30.664392948 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:30.718346119 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.723777056 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.725244045 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.855163097 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.860157967 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.860313892 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.860487938 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.865283966 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.946353912 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.946577072 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:30.951833010 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:30.951905966 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:31.010375977 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.010461092 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.013493061 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.013508081 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.013901949 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.015773058 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.015861988 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.015961885 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.016244888 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.016295910 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.023791075 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.023808956 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.023857117 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.024010897 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.024027109 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.139580965 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.139720917 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.143608093 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.143621922 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.143688917 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.143913031 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.144222021 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.144362926 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.144488096 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.147989035 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.148003101 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.148061037 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.148377895 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.151174068 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.213175058 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:31.213255882 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:31.214519978 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:31.214610100 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:31.218204975 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:31.218211889 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:31.218292952 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:31.218483925 CEST	443	49746	142.250.186.78	192.168.2.4
Oct 14, 2024 04:55:31.218558073 CEST	49746	443	192.168.2.4	142.250.186.78
Oct 14, 2024 04:55:31.336204052 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:31.382652998 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.382730007 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.383865118 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.383865118 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:31.385225058 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.385241985 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.502120972 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.502152920 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.505569935 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:31.510351896 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.510628939 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:31.512468100 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:31.516375065 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.516402960 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.516830921 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:31.517323017 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.519380093 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.519443989 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.519826889 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 04:55:31.519900084 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 04:55:31.521768093 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:31.884844065 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.885236025 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.966943026 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.966965914 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.967530012 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.969172955 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.969181061 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.969578981 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.969666004 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.973305941 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.983803988 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:31.983839989 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:31.997400045 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.053962946 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.175438881 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:32.175565004 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:32.306386948 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.311263084 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.407583952 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.456006050 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.469665051 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:32.476175070 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:32.480288029 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:32.480307102 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:32.480374098 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:32.480619907 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 04:55:32.482263088 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 04:55:32.570674896 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.575647116 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.578687906 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.590607882 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.674144030 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.687583923 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:32.730374098 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.746001959 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.958612919 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:32.963534117 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.061100960 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.115909100 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.338231087 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.338255882 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:33.339173079 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.340401888 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.340413094 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:33.422355890 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.427298069 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.434415102 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.434458971 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.434600115 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.434789896 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.434808016 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.443696976 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.443768024 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:33.445904970 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.447191000 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.447210073 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:33.523359060 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.572268963 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.645720959 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.650837898 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.763813972 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.812797070 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.860413074 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:33.860660076 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.864543915 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.864543915 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.864562035 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:33.864810944 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:33.867033958 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.870325089 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:33.871943951 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.949032068 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.949233055 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.968413115 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:33.987699032 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:33.987792969 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.991354942 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.991420031 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.991776943 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.997529030 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:33.997728109 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.997817993 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.997920990 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:33.999025106 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.999059916 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:33.999114037 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:33.999445915 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:33.999448061 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:33.999908924 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:34.002470016 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:34.006380081 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:34.011296034 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:34.027285099 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.027312040 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.027357101 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.027436018 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.027458906 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.027616978 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.027625084 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.029663086 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.040509939 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.040548086 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.054188967 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.054219007 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.054421902 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.055825949 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.055851936 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.100086927 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:34.107198954 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:34.150824070 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:34.161263943 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:34.532053947 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.532320976 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.532367945 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.532648087 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.536221027 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.536230087 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.536612034 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.540891886 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.540914059 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.541356087 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.541435003 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.541578054 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566541910 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566646099 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566756010 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566785097 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.566845894 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566915989 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.566947937 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.566987038 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.567146063 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.567277908 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.567343950 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:34.567502975 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:34.567538977 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:37.672264099 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:37.677340984 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:37.775985003 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:37.831235886 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:38.032167912 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:38.037219048 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:38.133018970 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:38.176780939 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:42.903331041 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:42.903357029 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:42.904108047 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:42.905322075 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:42.905339956 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:42.909955978 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:42.914840937 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:43.012672901 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:43.061058998 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:43.409037113 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.409143925 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:43.411058903 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.412379980 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.412430048 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:43.498059034 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:43.498156071 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:43.502515078 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:43.502528906 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:43.502595901 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:43.503199100 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:43.503268957 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:43.892153025 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:43.892257929 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.895749092 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.895771980 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:43.895812988 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:43.896032095 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:43.896142960 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:45.934104919 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:45.937732935 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:45.937804937 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:45.938251972 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:45.939188004 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:45.940411091 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:45.940448046 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:46.037410021 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:46.085354090 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:46.433242083 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:46.433347940 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:46.840717077 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:46.840786934 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:46.841480017 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:46.841612101 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:47.559422016 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:55:47.559488058 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 04:55:47.563098907 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:47.568274975 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:47.665878057 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:47.721477985 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:47.824191093 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:47.829328060 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:47.925091982 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:47.931092978 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:47.936295033 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:47.975495100 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:48.033946991 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:48.075782061 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:55.403187990 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.403233051 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:55.403528929 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.404870987 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.404886961 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:55.902728081 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:55.902813911 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.908087969 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.908097029 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:55.908219099 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.908308029 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 04:55:55.908457041 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:55:55.912177086 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:55.917062044 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:56.013945103 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:56.017772913 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:56.022615910 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:56.055643082 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:56.121360064 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:56.178033113 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.052798986 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.052890062 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.056296110 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.056480885 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.056503057 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.060131073 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.060218096 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.060437918 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.060734034 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.060770988 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.063105106 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.063126087 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.063559055 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.063683033 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.063709021 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.083904028 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.083993912 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:57.087081909 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.088380098 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.088418007 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:57.100159883 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.100203991 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 14, 2024 04:55:57.102560997 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.103774071 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.103801012 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 14, 2024 04:55:57.533307076 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.533400059 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.542027950 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.543499947 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.543528080 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.543802977 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.544142962 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.547909021 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.547957897 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.548419952 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.553065062 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.553200006 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.553282022 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.553383112 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.553509951 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.553797960 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.553958893 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.554014921 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.559428930 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.564565897 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.589524984 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:57.589620113 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.595812082 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.595812082 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.595839024 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:57.596101046 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 04:55:57.596517086 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 04:55:57.599293947 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 14, 2024 04:55:57.601254940 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.607307911 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.607307911 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.607364893 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 14, 2024 04:55:57.607846022 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 14, 2024 04:55:57.613379955 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 14, 2024 04:55:57.630150080 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.630223036 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.630342960 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.630506992 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:57.630516052 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:57.660621881 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.663868904 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.669080019 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.713704109 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.766489029 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.809699059 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.809925079 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.813922882 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.813941956 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.814094067 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.814260960 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.817063093 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.817163944 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.817311049 CEST	443	49775	52.222.236.23	192.168.2.4
Oct 14, 2024 04:55:57.826092958 CEST	49775	443	192.168.2.4	52.222.236.23
Oct 14, 2024 04:55:57.826663017 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.826705933 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.827172041 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.827299118 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.827306986 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.829423904 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.829510927 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.829819918 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.829958916 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.829987049 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.832575083 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.832592964 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.834393978 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.835320950 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.835443974 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:57.835458040 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:57.839318991 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.935723066 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.938957930 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:57.944458008 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:57.983364105 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.042155027 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.083542109 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.137955904 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:58.138041973 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:58.142452002 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:58.142461061 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:58.143536091 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:58.145555973 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:58.145659924 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:58.146193027 CEST	443	49778	34.149.100.209	192.168.2.4
Oct 14, 2024 04:55:58.146873951 CEST	49778	443	192.168.2.4	34.149.100.209
Oct 14, 2024 04:55:58.149000883 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.153893948 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.265779018 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.269028902 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.273956060 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.315720081 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.347934008 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.348057985 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.351653099 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.351667881 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.352775097 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.354084969 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.354300022 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.354542017 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.354638100 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.354922056 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.356340885 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.356358051 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.356470108 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.356479883 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.360002995 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.360029936 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.360433102 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.364569902 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.364593029 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.365565062 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.366574049 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.370321035 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.370687008 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.371049881 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.371072054 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.371153116 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.371484041 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.371620893 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 04:55:58.371623993 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.374643087 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.374667883 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 04:55:58.415674925 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.467233896 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.470130920 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.475369930 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.516007900 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:55:58.572640896 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:55:58.616370916 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:08.480737925 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:08.486361980 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:08.581008911 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:08.586637974 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:16.101324081 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.101356030 CEST	443	49818	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:16.101624966 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.103543997 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.103560925 CEST	443	49818	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:16.582833052 CEST	443	49818	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:16.582940102 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.588428974 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.588449001 CEST	443	49818	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:16.588566065 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.588794947 CEST	443	49818	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:16.589179993 CEST	49818	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:16.591629028 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:16.596987009 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:16.692387104 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:16.698843002 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:16.703739882 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:16.738522053 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:16.803324938 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:16.854345083 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:26.299381018 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:26.304280996 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:26.400233984 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:26.406342030 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:26.411313057 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:26.448554993 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:26.509157896 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:26.564507008 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:26.692936897 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.692956924 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:26.693280935 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.693286896 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:26.693901062 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.693919897 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.694092035 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.694098949 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:26.694192886 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.694200993 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:26.696577072 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.696619034 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:26.697087049 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.697318077 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:26.697339058 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.177586079 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.177654982 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.180882931 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.180893898 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.181231022 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.182038069 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.183463097 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.183559895 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.183640003 CEST	443	49888	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.187067986 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.189258099 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.189273119 CEST	49888	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.189285040 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.189313889 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.193808079 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.193814993 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.193968058 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:27.194020033 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.197540998 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.197590113 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.198349953 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.198932886 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:27.201128960 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.201270103 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.201282978 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.201287985 CEST	443	49887	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.201533079 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.201605082 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.201936007 CEST	443	49889	34.120.208.123	192.168.2.4
Oct 14, 2024 04:56:27.201963902 CEST	49887	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.202373028 CEST	49889	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:56:27.294600010 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:27.302212000 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:27.307156086 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:27.344855070 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:27.405076981 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:27.460707903 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:37.300708055 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:37.305636883 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:37.416728020 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:37.421840906 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:47.320429087 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:47.325397015 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:47.436347961 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:47.441593885 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:56.608935118 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:56.609025955 CEST	443	50054	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:56.609138966 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:56.610608101 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:56.610690117 CEST	443	50054	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:57.088023901 CEST	443	50054	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:57.088356018 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:57.093580008 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:57.093642950 CEST	443	50054	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:57.093698025 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:57.093832970 CEST	443	50054	34.107.243.93	192.168.2.4
Oct 14, 2024 04:56:57.094991922 CEST	50054	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:56:57.097121000 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:57.101941109 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:57.197819948 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:57.204163074 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:57.209126949 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:57.241981983 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:56:57.306528091 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:56:57.373622894 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:07.207525015 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:07.212734938 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:07.323466063 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:07.328486919 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:17.216919899 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:17.222270012 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:17.332953930 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:17.338182926 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:27.224028111 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:27.230524063 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:27.346425056 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:27.351475954 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:37.236010075 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:37.241383076 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:37.351846933 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:37.357443094 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:47.264029026 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:47.269172907 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:47.367103100 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:47.372164011 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:57.275309086 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:57.281738997 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:57:57.375484943 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:57:57.380597115 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:07.287723064 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:07.294096947 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:07.388073921 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:07.393409014 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.206532001 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.206589937 CEST	443	50055	34.107.243.93	192.168.2.4
Oct 14, 2024 04:58:17.206712961 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.208199024 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.208234072 CEST	443	50055	34.107.243.93	192.168.2.4
Oct 14, 2024 04:58:17.297573090 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:17.302731991 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.397926092 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:17.403208971 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.689368010 CEST	443	50055	34.107.243.93	192.168.2.4
Oct 14, 2024 04:58:17.689651012 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.695893049 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.695933104 CEST	443	50055	34.107.243.93	192.168.2.4
Oct 14, 2024 04:58:17.695993900 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.696566105 CEST	443	50055	34.107.243.93	192.168.2.4
Oct 14, 2024 04:58:17.696640015 CEST	50055	443	192.168.2.4	34.107.243.93
Oct 14, 2024 04:58:17.699069977 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:17.703936100 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.799838066 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.804327011 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:17.809300900 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.845870018 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:17.906841040 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:17.962095022 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:27.456700087 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.456753969 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.456978083 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.456979036 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457076073 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457106113 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457117081 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457123041 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457176924 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457345009 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457345009 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457362890 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457398891 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457400084 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457532883 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457568884 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457628965 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457643032 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.457745075 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.457772970 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.807707071 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:27.812782049 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:27.907958984 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:27.912887096 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:27.934053898 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.934142113 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.934551001 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.934633970 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.937405109 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.937432051 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.937962055 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.938081026 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.938996077 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.939604044 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.939616919 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.940109015 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.942220926 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.942275047 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.943228006 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.944983006 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.945090055 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.945450068 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.945979118 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.946048021 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.946553946 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.946553946 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.946633101 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.946650982 CEST	443	50056	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.947032928 CEST	443	50057	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.947365046 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.947403908 CEST	50056	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.947436094 CEST	50057	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.949007988 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.949745893 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.949773073 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.950536013 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.951836109 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.951909065 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.952215910 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 04:58:27.952442884 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 04:58:27.954103947 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:27.959455013 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:28.055808067 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:28.058662891 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:28.064591885 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:28.103135109 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 04:58:28.161937952 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 04:58:28.208892107 CEST	49753	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 04:55:27.568788052 CEST	51354	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:27.608551025 CEST	53	51354	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:27.635104895 CEST	59791	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:27.642247915 CEST	53	59791	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:29.723241091 CEST	57781	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.730190039 CEST	53	57781	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:29.731556892 CEST	55609	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.738212109 CEST	53	55609	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:29.743037939 CEST	57729	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.749774933 CEST	53	57729	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:29.839436054 CEST	54542	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.847407103 CEST	61129	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.854266882 CEST	53	61129	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:29.855792999 CEST	49311	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:29.862678051 CEST	53	49311	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.120336056 CEST	49636	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.126147032 CEST	54773	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.127876043 CEST	53	49636	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.131874084 CEST	64406	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.132812977 CEST	53	54773	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.134349108 CEST	49699	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.138767958 CEST	53	64406	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.139910936 CEST	54983	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.141171932 CEST	53	49699	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.146781921 CEST	53	54983	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.147650003 CEST	54532	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.154546022 CEST	53	54532	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.155563116 CEST	52882	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.162709951 CEST	53	52882	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.166610003 CEST	54290	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.174017906 CEST	53	54290	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.421808004 CEST	54769	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.422241926 CEST	51423	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.428483009 CEST	53	54769	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.428762913 CEST	53	51423	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.447078943 CEST	65058	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.517141104 CEST	59861	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.524434090 CEST	53	59861	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.526104927 CEST	55170	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.533256054 CEST	53	55170	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:30.534087896 CEST	50524	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:30.541490078 CEST	53	50524	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:32.362150908 CEST	64854	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:32.409792900 CEST	53	52012	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:32.573312998 CEST	56281	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:32.590529919 CEST	53	56281	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:32.592355013 CEST	55229	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:32.603708029 CEST	53	55229	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:32.609678984 CEST	62553	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:32.616813898 CEST	53	62553	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:33.424551010 CEST	58653	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:33.431915045 CEST	53	58653	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:33.435492039 CEST	63609	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:33.442065954 CEST	53	63609	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:33.443970919 CEST	59237	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:33.450604916 CEST	53	59237	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:33.495501995 CEST	61348	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:33.502166033 CEST	53	61348	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:34.027271032 CEST	49795	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:34.035887003 CEST	53	49795	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:34.046471119 CEST	53676	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:34.053466082 CEST	53	53676	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:37.658382893 CEST	54833	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:37.665354967 CEST	53	54833	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:37.678128004 CEST	51724	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:37.685193062 CEST	53	51724	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:37.690922022 CEST	64641	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:37.698077917 CEST	53	64641	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.887232065 CEST	50527	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.887586117 CEST	53194	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.888011932 CEST	63861	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.893840075 CEST	53	50527	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.894105911 CEST	53	53194	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.894961119 CEST	53	63861	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.904016972 CEST	64187	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.905808926 CEST	62542	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.907201052 CEST	49445	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.910778046 CEST	53	64187	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.911819935 CEST	60595	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.913052082 CEST	53	62542	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.913501978 CEST	52490	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.914088964 CEST	53	49445	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.914504051 CEST	54847	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.918410063 CEST	53	60595	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.918957949 CEST	61560	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.920224905 CEST	53	52490	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.921180964 CEST	53	54847	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.921250105 CEST	55842	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.921643972 CEST	62419	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.925700903 CEST	53	61560	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.926350117 CEST	64181	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.928016901 CEST	53	55842	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.928900957 CEST	53	62419	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.928976059 CEST	51997	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.933582067 CEST	53	64181	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.935606956 CEST	53	51997	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.937036037 CEST	59005	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.945154905 CEST	53	59005	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:42.949974060 CEST	49912	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:42.957812071 CEST	53	49912	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:43.408530951 CEST	62974	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:43.415370941 CEST	53	62974	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:43.416691065 CEST	49482	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:43.423470020 CEST	53	49482	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:55.395190954 CEST	65450	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:55.402122021 CEST	53	65450	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:55.402669907 CEST	52400	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:55.409521103 CEST	53	52400	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.040477037 CEST	64644	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.047916889 CEST	53	64644	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.054546118 CEST	58052	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.062213898 CEST	53	58052	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.063496113 CEST	53410	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.070951939 CEST	53	53410	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.071554899 CEST	57539	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.080516100 CEST	53	57539	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.090073109 CEST	64960	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.097145081 CEST	53	64960	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.102256060 CEST	54365	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.109908104 CEST	53	54365	1.1.1.1	192.168.2.4
Oct 14, 2024 04:55:57.110812902 CEST	53267	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:55:57.118364096 CEST	53	53267	1.1.1.1	192.168.2.4
Oct 14, 2024 04:56:16.092900991 CEST	56879	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:16.100172997 CEST	53	56879	1.1.1.1	192.168.2.4
Oct 14, 2024 04:56:16.100987911 CEST	50541	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:16.107816935 CEST	53	50541	1.1.1.1	192.168.2.4
Oct 14, 2024 04:56:16.592060089 CEST	53993	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:26.689655066 CEST	52505	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:26.696562052 CEST	53	52505	1.1.1.1	192.168.2.4
Oct 14, 2024 04:56:56.607774019 CEST	58461	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:56.614794016 CEST	53	58461	1.1.1.1	192.168.2.4
Oct 14, 2024 04:56:56.616189957 CEST	59905	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:56:56.622831106 CEST	53	59905	1.1.1.1	192.168.2.4
Oct 14, 2024 04:58:17.190062046 CEST	54332	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:58:17.197318077 CEST	53	54332	1.1.1.1	192.168.2.4
Oct 14, 2024 04:58:17.198935032 CEST	58845	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:58:17.205462933 CEST	53	58845	1.1.1.1	192.168.2.4
Oct 14, 2024 04:58:17.205986023 CEST	59279	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:58:17.212810993 CEST	53	59279	1.1.1.1	192.168.2.4
Oct 14, 2024 04:58:17.699614048 CEST	57476	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:58:27.456553936 CEST	53182	53	192.168.2.4	1.1.1.1
Oct 14, 2024 04:58:27.463171959 CEST	53	53182	1.1.1.1	192.168.2.4
Oct 14, 2024 04:58:27.954399109 CEST	49844	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 04:55:27.568788052 CEST	192.168.2.4	1.1.1.1	0xe04d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:27.635104895 CEST	192.168.2.4	1.1.1.1	0x2f0b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:29.723241091 CEST	192.168.2.4	1.1.1.1	0x5c3e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.731556892 CEST	192.168.2.4	1.1.1.1	0xb1a4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.743037939 CEST	192.168.2.4	1.1.1.1	0x850a	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:29.839436054 CEST	192.168.2.4	1.1.1.1	0x15e7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.847407103 CEST	192.168.2.4	1.1.1.1	0x7f63	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.855792999 CEST	192.168.2.4	1.1.1.1	0x3194	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:30.120336056 CEST	192.168.2.4	1.1.1.1	0x63b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.126147032 CEST	192.168.2.4	1.1.1.1	0x45a8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.131874084 CEST	192.168.2.4	1.1.1.1	0x2f44	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.134349108 CEST	192.168.2.4	1.1.1.1	0xa3d3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:30.139910936 CEST	192.168.2.4	1.1.1.1	0xd0e9	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:30.147650003 CEST	192.168.2.4	1.1.1.1	0x3663	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.155563116 CEST	192.168.2.4	1.1.1.1	0xadee	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.166610003 CEST	192.168.2.4	1.1.1.1	0x859b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:30.421808004 CEST	192.168.2.4	1.1.1.1	0x80d9	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.422241926 CEST	192.168.2.4	1.1.1.1	0x9090	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.447078943 CEST	192.168.2.4	1.1.1.1	0x48a5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.517141104 CEST	192.168.2.4	1.1.1.1	0x6dc6	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.526104927 CEST	192.168.2.4	1.1.1.1	0x1ec7	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.534087896 CEST	192.168.2.4	1.1.1.1	0xaf6d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:32.362150908 CEST	192.168.2.4	1.1.1.1	0x3dc9	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:32.573312998 CEST	192.168.2.4	1.1.1.1	0x7d88	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:32.592355013 CEST	192.168.2.4	1.1.1.1	0x13ab	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:32.609678984 CEST	192.168.2.4	1.1.1.1	0x7bc1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:33.424551010 CEST	192.168.2.4	1.1.1.1	0x5764	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.435492039 CEST	192.168.2.4	1.1.1.1	0x76a8	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.443970919 CEST	192.168.2.4	1.1.1.1	0x5f5f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.495501995 CEST	192.168.2.4	1.1.1.1	0x228b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:34.027271032 CEST	192.168.2.4	1.1.1.1	0x94d3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:34.046471119 CEST	192.168.2.4	1.1.1.1	0xb93e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:37.658382893 CEST	192.168.2.4	1.1.1.1	0x703d	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:37.678128004 CEST	192.168.2.4	1.1.1.1	0x4d3c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:37.690922022 CEST	192.168.2.4	1.1.1.1	0xf3b1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.887232065 CEST	192.168.2.4	1.1.1.1	0xa650	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.887586117 CEST	192.168.2.4	1.1.1.1	0xb918	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.888011932 CEST	192.168.2.4	1.1.1.1	0x34d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.904016972 CEST	192.168.2.4	1.1.1.1	0xdc7e	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.905808926 CEST	192.168.2.4	1.1.1.1	0x7dd6	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.907201052 CEST	192.168.2.4	1.1.1.1	0x73c0	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.911819935 CEST	192.168.2.4	1.1.1.1	0x797b	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.913501978 CEST	192.168.2.4	1.1.1.1	0x23f	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.914504051 CEST	192.168.2.4	1.1.1.1	0xeb61	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.918957949 CEST	192.168.2.4	1.1.1.1	0x43a0	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.921250105 CEST	192.168.2.4	1.1.1.1	0x2efd	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.921643972 CEST	192.168.2.4	1.1.1.1	0xf1f1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.926350117 CEST	192.168.2.4	1.1.1.1	0x1e13	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.928976059 CEST	192.168.2.4	1.1.1.1	0x9a2e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.937036037 CEST	192.168.2.4	1.1.1.1	0xfab7	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:42.949974060 CEST	192.168.2.4	1.1.1.1	0x4885	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:43.408530951 CEST	192.168.2.4	1.1.1.1	0xe995	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:43.416691065 CEST	192.168.2.4	1.1.1.1	0x11e7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:55.395190954 CEST	192.168.2.4	1.1.1.1	0x4696	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:55.402669907 CEST	192.168.2.4	1.1.1.1	0x6df5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:55:57.040477037 CEST	192.168.2.4	1.1.1.1	0xac81	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 04:55:57.054546118 CEST	192.168.2.4	1.1.1.1	0x8f83	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.063496113 CEST	192.168.2.4	1.1.1.1	0x2790	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.071554899 CEST	192.168.2.4	1.1.1.1	0x332b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 04:55:57.090073109 CEST	192.168.2.4	1.1.1.1	0xa991	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.102256060 CEST	192.168.2.4	1.1.1.1	0xcc4f	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.110812902 CEST	192.168.2.4	1.1.1.1	0x6635	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:56:16.092900991 CEST	192.168.2.4	1.1.1.1	0x2969	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:16.100987911 CEST	192.168.2.4	1.1.1.1	0x7a09	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:56:16.592060089 CEST	192.168.2.4	1.1.1.1	0xbd1d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:26.689655066 CEST	192.168.2.4	1.1.1.1	0xb81e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:56:56.607774019 CEST	192.168.2.4	1.1.1.1	0xd014	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:56.616189957 CEST	192.168.2.4	1.1.1.1	0x681c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:58:17.190062046 CEST	192.168.2.4	1.1.1.1	0x3063	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:17.198935032 CEST	192.168.2.4	1.1.1.1	0xa31a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:17.205986023 CEST	192.168.2.4	1.1.1.1	0xeac0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:58:17.699614048 CEST	192.168.2.4	1.1.1.1	0x9a1c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:27.456553936 CEST	192.168.2.4	1.1.1.1	0xf7a0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 04:58:27.954399109 CEST	192.168.2.4	1.1.1.1	0x54ee	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 04:55:27.560036898 CEST	1.1.1.1	192.168.2.4	0xab35	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:27.608551025 CEST	1.1.1.1	192.168.2.4	0xe04d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.730190039 CEST	1.1.1.1	192.168.2.4	0x5c3e	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.738212109 CEST	1.1.1.1	192.168.2.4	0xb1a4	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.749774933 CEST	1.1.1.1	192.168.2.4	0x850a	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:29.846280098 CEST	1.1.1.1	192.168.2.4	0x15e7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:29.846280098 CEST	1.1.1.1	192.168.2.4	0x15e7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.854266882 CEST	1.1.1.1	192.168.2.4	0x7f63	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:29.862678051 CEST	1.1.1.1	192.168.2.4	0x3194	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 04:55:30.124485970 CEST	1.1.1.1	192.168.2.4	0xeb64	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:30.124485970 CEST	1.1.1.1	192.168.2.4	0xeb64	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.127876043 CEST	1.1.1.1	192.168.2.4	0x63b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.138767958 CEST	1.1.1.1	192.168.2.4	0x2f44	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.154546022 CEST	1.1.1.1	192.168.2.4	0x3663	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:30.154546022 CEST	1.1.1.1	192.168.2.4	0x3663	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.162709951 CEST	1.1.1.1	192.168.2.4	0xadee	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.428483009 CEST	1.1.1.1	192.168.2.4	0x80d9	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.428762913 CEST	1.1.1.1	192.168.2.4	0x9090	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.428762913 CEST	1.1.1.1	192.168.2.4	0x9090	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.453995943 CEST	1.1.1.1	192.168.2.4	0x48a5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:30.453995943 CEST	1.1.1.1	192.168.2.4	0x48a5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.524434090 CEST	1.1.1.1	192.168.2.4	0x6dc6	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:30.524434090 CEST	1.1.1.1	192.168.2.4	0x6dc6	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:30.524434090 CEST	1.1.1.1	192.168.2.4	0x6dc6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.533256054 CEST	1.1.1.1	192.168.2.4	0x1ec7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:30.541490078 CEST	1.1.1.1	192.168.2.4	0xaf6d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 04:55:32.371279955 CEST	1.1.1.1	192.168.2.4	0x3dc9	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:32.590529919 CEST	1.1.1.1	192.168.2.4	0x7d88	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:32.603708029 CEST	1.1.1.1	192.168.2.4	0x13ab	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.430695057 CEST	1.1.1.1	192.168.2.4	0x48a3	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:33.430695057 CEST	1.1.1.1	192.168.2.4	0x48a3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.431915045 CEST	1.1.1.1	192.168.2.4	0x5764	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.442065954 CEST	1.1.1.1	192.168.2.4	0x76a8	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:33.442065954 CEST	1.1.1.1	192.168.2.4	0x76a8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:33.450604916 CEST	1.1.1.1	192.168.2.4	0x5f5f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:34.025579929 CEST	1.1.1.1	192.168.2.4	0x6106	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:34.035887003 CEST	1.1.1.1	192.168.2.4	0x94d3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:37.665354967 CEST	1.1.1.1	192.168.2.4	0x703d	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:37.665354967 CEST	1.1.1.1	192.168.2.4	0x703d	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:37.665354967 CEST	1.1.1.1	192.168.2.4	0x703d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:37.685193062 CEST	1.1.1.1	192.168.2.4	0x4d3c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893237114 CEST	1.1.1.1	192.168.2.4	0xb63d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.893840075 CEST	1.1.1.1	192.168.2.4	0xa650	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.894105911 CEST	1.1.1.1	192.168.2.4	0xb918	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:42.894105911 CEST	1.1.1.1	192.168.2.4	0xb918	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.910778046 CEST	1.1.1.1	192.168.2.4	0xdc7e	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.913052082 CEST	1.1.1.1	192.168.2.4	0x7dd6	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.914088964 CEST	1.1.1.1	192.168.2.4	0x73c0	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:42.914088964 CEST	1.1.1.1	192.168.2.4	0x73c0	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.918410063 CEST	1.1.1.1	192.168.2.4	0x797b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.918410063 CEST	1.1.1.1	192.168.2.4	0x797b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.918410063 CEST	1.1.1.1	192.168.2.4	0x797b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.918410063 CEST	1.1.1.1	192.168.2.4	0x797b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.920224905 CEST	1.1.1.1	192.168.2.4	0x23f	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.921180964 CEST	1.1.1.1	192.168.2.4	0xeb61	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.925700903 CEST	1.1.1.1	192.168.2.4	0x43a0	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:42.925700903 CEST	1.1.1.1	192.168.2.4	0x43a0	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.925700903 CEST	1.1.1.1	192.168.2.4	0x43a0	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.925700903 CEST	1.1.1.1	192.168.2.4	0x43a0	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.925700903 CEST	1.1.1.1	192.168.2.4	0x43a0	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.928016901 CEST	1.1.1.1	192.168.2.4	0x2efd	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.928900957 CEST	1.1.1.1	192.168.2.4	0xf1f1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 04:55:42.933582067 CEST	1.1.1.1	192.168.2.4	0x1e13	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.933582067 CEST	1.1.1.1	192.168.2.4	0x1e13	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.933582067 CEST	1.1.1.1	192.168.2.4	0x1e13	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.933582067 CEST	1.1.1.1	192.168.2.4	0x1e13	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:42.935606956 CEST	1.1.1.1	192.168.2.4	0x9a2e	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:43.415370941 CEST	1.1.1.1	192.168.2.4	0xe995	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:55.402122021 CEST	1.1.1.1	192.168.2.4	0x4696	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.047874928 CEST	1.1.1.1	192.168.2.4	0x22ec	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:57.047874928 CEST	1.1.1.1	192.168.2.4	0x22ec	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.062213898 CEST	1.1.1.1	192.168.2.4	0x8f83	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.062213898 CEST	1.1.1.1	192.168.2.4	0x8f83	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.062213898 CEST	1.1.1.1	192.168.2.4	0x8f83	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.062213898 CEST	1.1.1.1	192.168.2.4	0x8f83	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.070951939 CEST	1.1.1.1	192.168.2.4	0x2790	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.070951939 CEST	1.1.1.1	192.168.2.4	0x2790	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.070951939 CEST	1.1.1.1	192.168.2.4	0x2790	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.070951939 CEST	1.1.1.1	192.168.2.4	0x2790	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.097145081 CEST	1.1.1.1	192.168.2.4	0xa991	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:57.097145081 CEST	1.1.1.1	192.168.2.4	0xa991	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:57.109908104 CEST	1.1.1.1	192.168.2.4	0xcc4f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:55:58.379367113 CEST	1.1.1.1	192.168.2.4	0x4d4e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:55:58.379367113 CEST	1.1.1.1	192.168.2.4	0x4d4e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:56:16.100172997 CEST	1.1.1.1	192.168.2.4	0x2969	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:16.602032900 CEST	1.1.1.1	192.168.2.4	0xbd1d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:56:16.602032900 CEST	1.1.1.1	192.168.2.4	0xbd1d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:26.688383102 CEST	1.1.1.1	192.168.2.4	0x6cff	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:56:56.614794016 CEST	1.1.1.1	192.168.2.4	0xd014	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:17.197318077 CEST	1.1.1.1	192.168.2.4	0x3063	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:17.205462933 CEST	1.1.1.1	192.168.2.4	0xa31a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:17.706337929 CEST	1.1.1.1	192.168.2.4	0x9a1c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:58:17.706337929 CEST	1.1.1.1	192.168.2.4	0x9a1c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:27.454894066 CEST	1.1.1.1	192.168.2.4	0x4f13	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 04:58:27.961970091 CEST	1.1.1.1	192.168.2.4	0x54ee	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 04:58:27.961970091 CEST	1.1.1.1	192.168.2.4	0x54ee	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	2756	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 04:55:29.881917000 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:30.334639072 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 51192 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	2756	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 04:55:30.470702887 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:30.946353912 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61875 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	2756	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 04:55:30.860487938 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:31.336204052 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21890 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:32.306386948 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:32.407583952 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21891 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:32.578687906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:32.687583923 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21891 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:33.422355890 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:33.523359060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:33.867033958 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:33.968413115 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:34.006380081 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:34.107198954 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21893 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:38.032167912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:38.133018970 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21897 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:45.934104919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:46.037410021 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21904 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:47.824191093 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:47.925091982 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21906 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:55.912177086 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:56.013945103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:57.559428930 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:57.660621881 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21916 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:57.834393978 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:57.935723066 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21916 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:58.149000883 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:58.265779018 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21917 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:55:58.366574049 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:55:58.467233896 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21917 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:56:08.480737925 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:16.591629028 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:56:16.692387104 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:56:26.299381018 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:56:26.400233984 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21945 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:56:27.193968058 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:56:27.294600010 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:56:37.300708055 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:47.320429087 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:57.097121000 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:56:57.197819948 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 21976 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:57:07.207525015 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:17.216919899 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:27.224028111 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:37.236010075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:47.264029026 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:57.275309086 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:58:07.287723064 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:58:17.699069977 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:58:17.799838066 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 22056 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 04:58:27.954103947 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 04:58:28.055808067 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 22067 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	34.107.221.82	80	2756	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 04:55:31.516830921 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:31.997400045 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61876 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:32.570674896 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:32.674144030 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61877 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:32.958612919 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:33.061100960 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61878 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:33.645720959 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:33.763813972 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61878 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:33.997529030 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:34.100086927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61879 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:37.672264099 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:37.775985003 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61882 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:42.909955978 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:43.012672901 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61887 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:47.563098907 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:47.665878057 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61892 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:47.931092978 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:48.033946991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61892 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:56.017772913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:56.121360064 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61901 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:57.663868904 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:57.766489029 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:57.938957930 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:58.042155027 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:58.269028902 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:58.371623993 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:55:58.470130920 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:55:58.572640896 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:56:08.581008911 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:16.698843002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:56:16.803324938 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61921 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:56:26.406342030 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:56:26.509157896 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61931 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:56:27.302212000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:56:27.405076981 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61932 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:56:37.416728020 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:47.436347961 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:56:57.204163074 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:56:57.306528091 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 61962 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:57:07.323466063 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:17.332953930 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:27.346425056 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:37.351846933 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:47.367103100 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:57:57.375484943 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:58:07.388073921 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 04:58:17.804327011 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:58:17.906841040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 62042 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 04:58:28.058662891 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 04:58:28.161937952 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 62053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	22:55:21
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x610000
File size:	919'552 bytes
MD5 hash:	9DD5CC11594C9994399C934C991F562C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1829716761.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:55:22
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:55:22
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:55:24
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:55:25
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:55:25
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	22:55:25
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d30234f-83dc-4616-963d-c840c8c3c565} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd4126ff10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	22:55:27
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 2860 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aae5212-1d50-4102-9b86-67ab97c1cbe9} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd533ba410 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	22:55:32
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 2628 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48db7f1c-968e-4dc6-9876-b2cfd4458117} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" 1fd5aacfd10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1550
Total number of Limit Nodes:	50

Executed Functions

Function 006142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0061430D

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

GetCurrentProcess.KERNEL32(?,006ACB64,00000000,?,?), ref: 00614422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00614429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00614454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00614466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00614474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0061447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006144A0

Strings

|O, xrefs: 006536F8
kernel32.dll, xrefs: 0061444F
GetNativeSystemInfo, xrefs: 00614460

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b2cb11d376adfc5a5d71b3f41abb1ff3abfad5972766ada79575461aab621608
Instruction ID: 6a68aed6725d82ac18f4fefa848d771deae57c8ea200b04922faa65fd752596e
Opcode Fuzzy Hash: b2cb11d376adfc5a5d71b3f41abb1ff3abfad5972766ada79575461aab621608
Instruction Fuzzy Hash: 24A1B27290A3E0CFCB11CB697CC05D97FE7AB27741B186899D4819FB22D6304949EB35

Function 006142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006150AA,?,?,00000000,00000000), ref: 006142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006150AA,?,?,00000000,00000000), ref: 006142C9
LoadResource.KERNEL32(?,00000000,?,?,006150AA,?,?,00000000,00000000,?,?,?,?,?,?,00614F20), ref: 006535BE
SizeofResource.KERNEL32(?,00000000,?,?,006150AA,?,?,00000000,00000000,?,?,?,?,?,?,00614F20), ref: 006535D3
LockResource.KERNEL32(006150AA,?,?,006150AA,?,?,00000000,00000000,?,?,?,?,?,?,00614F20,?), ref: 006535E6

Strings

SCRIPT, xrefs: 006142BF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 780167a3065e00306f58bce56b2d3bd0e303122518f7adc383a2f7f0c2b9d937
Instruction ID: d8233ca55e8cf21a567faed6f8dafee304fa768f570d822f379ad2c1e4e6f191
Opcode Fuzzy Hash: 780167a3065e00306f58bce56b2d3bd0e303122518f7adc383a2f7f0c2b9d937
Instruction Fuzzy Hash: 2A117C70200700BFD7219B65DC48FA77BBBEFC6B61F144169F40296250DB71ED409A20

Function 00652BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00612B6B

Part of subcall function 00613A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E1418,?,00612E7F,?,?,?,00000000), ref: 00613A78

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,006D2224), ref: 00652C10
ShellExecuteW.SHELL32(00000000,?,?,006D2224), ref: 00652C17

Strings

runas, xrefs: 00652C0B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 736384e026cc345092712183f5d9abfb1166363164ab20baddd393e570d9fa8f
Instruction ID: 11f2571a237ae4ccaa303ea9234ca3f214d28262b9101211065c4c59dfb7a8a6
Opcode Fuzzy Hash: 736384e026cc345092712183f5d9abfb1166363164ab20baddd393e570d9fa8f
Instruction Fuzzy Hash: DD11E7315083829AC744FF20D8619FE77E79F92314F0C141DF183062A2CF309ACA9716

Function 0067D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0067D501
Process32FirstW.KERNEL32(00000000,?), ref: 0067D50F
Process32NextW.KERNEL32(00000000,?), ref: 0067D52F
CloseHandle.KERNELBASE(00000000), ref: 0067D5DC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fba9996aeea0d581c660a6387adb6d21b545c8f644b6281d69a1776eabe3d5b2
Instruction ID: a24fc07a3e5e9b56e9f24ca9364ded58503fed1372a590e130368280b59a7e28
Opcode Fuzzy Hash: fba9996aeea0d581c660a6387adb6d21b545c8f644b6281d69a1776eabe3d5b2
Instruction Fuzzy Hash: 5E31D4711083009FD304EF54C881AEFBBFAEF99354F14492DF585832A1EB71A984CBA2

Function 0067DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00655222), ref: 0067DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0067DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0067DBEE
FindClose.KERNEL32(00000000), ref: 0067DBFA

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34d6d5029bc99757027e9f2351723049abe5df20a974b0aa9474a2069a7a02a2
Instruction ID: 700b2b718c8752db90a5491318ebacf45d812734edbf6a005fd0a950d03ed4aa
Opcode Fuzzy Hash: 34d6d5029bc99757027e9f2351723049abe5df20a974b0aa9474a2069a7a02a2
Instruction Fuzzy Hash: A6F0A07082091057C3217B78AC0D8AA37BE9F02374B108B02F83AC22E0EBB06E558A95

Function 00634CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006428E9,?,00634CBE,006428E9,006D88B8,0000000C,00634E15,006428E9,00000002,00000000,?,006428E9), ref: 00634D09
TerminateProcess.KERNEL32(00000000,?,00634CBE,006428E9,006D88B8,0000000C,00634E15,006428E9,00000002,00000000,?,006428E9), ref: 00634D10
ExitProcess.KERNEL32 ref: 00634D22

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d4f5eb1bc33b5f2655f9f4b4276a0f677abf7862c49e2eaf9a94bd7bd49a2373
Instruction ID: 0f22947207702c1c8eeb2b55159f6dceda3c47e4d1c26b3d0cb8e6f8947eb82b
Opcode Fuzzy Hash: d4f5eb1bc33b5f2655f9f4b4276a0f677abf7862c49e2eaf9a94bd7bd49a2373
Instruction Fuzzy Hash: 5EE0B631000548ABCF51BF54DD09A997B6BEF42791F104018FC059A232CF35FD42CE84

Function 0061BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#n, xrefs: 006607CE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#n
API String ID: 3964851224-3205728892
Opcode ID: 91aa3cfb18f8b1695f220f82a1e778b10d839e2f795ead2c45123fb48af468ad
Instruction ID: 8773fb695db1aae56ca30e8008bd64dbb43eb214ed4c088b5cdbfcc390854914
Opcode Fuzzy Hash: 91aa3cfb18f8b1695f220f82a1e778b10d839e2f795ead2c45123fb48af468ad
Instruction Fuzzy Hash: D3A25C706083419FD754DF14C490BAABBE2BF89314F18896DE89A8B352D771EC85CF92

Function 0069AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0069B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069B1D4
_wcslen.LIBCMT ref: 0069B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069B236
_wcslen.LIBCMT ref: 0069B332

Part of subcall function 006805A7: GetStdHandle.KERNEL32(000000F6), ref: 006805C6

_wcslen.LIBCMT ref: 0069B34B
_wcslen.LIBCMT ref: 0069B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069B3B6
GetLastError.KERNEL32(00000000), ref: 0069B407
CloseHandle.KERNEL32(?), ref: 0069B439
CloseHandle.KERNEL32(00000000), ref: 0069B44A
CloseHandle.KERNEL32(00000000), ref: 0069B45C
CloseHandle.KERNEL32(00000000), ref: 0069B46E
CloseHandle.KERNEL32(?), ref: 0069B4E3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: eb8d59eba0f01f3de2bda19c5664b2e7227edfc3f46eaa795d5336b669337f49
Instruction ID: 1255768969050302f2a43d6edb0c3cb7860b42ee37b8d4993bd1c49d548862b6
Opcode Fuzzy Hash: eb8d59eba0f01f3de2bda19c5664b2e7227edfc3f46eaa795d5336b669337f49
Instruction Fuzzy Hash: 9FF1CF316043409FCB54EF24D991BAEBBE6AF85710F18855DF8858B3A2DB30EC45CB96

Function 0061D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0061D807
timeGetTime.WINMM ref: 0061DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0061DB28
TranslateMessage.USER32(?), ref: 0061DB7B
DispatchMessageW.USER32(?), ref: 0061DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0061DB9F
Sleep.KERNELBASE(0000000A), ref: 0061DBB1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 1b0a00fb322c95604c6eca64828f2172c2f3313c6ef1edca377579b289f174b4
Instruction ID: b80f8db14955186dc35edddbb4227c83dd812e0cbd4649d4551c92b3068d27bb
Opcode Fuzzy Hash: 1b0a00fb322c95604c6eca64828f2172c2f3313c6ef1edca377579b289f174b4
Instruction Fuzzy Hash: 0E42D0706087429FD728CF24C894BEAB7A7BF46314F188A1DE4568B391D774E885CF92

Function 00612CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00612D07
RegisterClassExW.USER32(00000030), ref: 00612D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00612D42
InitCommonControlsEx.COMCTL32(?), ref: 00612D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00612D6F
LoadIconW.USER32(000000A9), ref: 00612D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00612D94

Strings

+, xrefs: 00612CF0
0, xrefs: 00612CE9
AutoIt v3 GUI, xrefs: 00612D23
TaskbarCreated, xrefs: 00612D37

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c833ad6df2a1e347b85ce1e55d013da4eb211065ea1b18fdd3f51ea150581c03
Instruction ID: cd6099c1c779ea67152580e7f7808f6094646e2e5db0acedc24f0b23073aaf92
Opcode Fuzzy Hash: c833ad6df2a1e347b85ce1e55d013da4eb211065ea1b18fdd3f51ea150581c03
Instruction Fuzzy Hash: 8421E3B1D01358AFDB00EFA4E889BDDBBB6FB0A711F00911AF511AA2A0D7B55540DFA0

Function 0065065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0065039A: CreateFileW.KERNELBASE(00000000,00000000,?,00650704,?,?,00000000,?,00650704,00000000,0000000C), ref: 006503B7

GetLastError.KERNEL32 ref: 0065076F
__dosmaperr.LIBCMT ref: 00650776
GetFileType.KERNELBASE(00000000), ref: 00650782
GetLastError.KERNEL32 ref: 0065078C
__dosmaperr.LIBCMT ref: 00650795
CloseHandle.KERNEL32(00000000), ref: 006507B5
CloseHandle.KERNEL32(?), ref: 006508FF
GetLastError.KERNEL32 ref: 00650931
__dosmaperr.LIBCMT ref: 00650938

Strings

H, xrefs: 006508BD

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 63df0981fa01945f9c24046201aca6ec5c355215617c48ca391beeddac83382c
Instruction ID: 9c2336a6af5b44a5934bad396cbbac5502f1adc8c4d82f9e5f0c1405057c977c
Opcode Fuzzy Hash: 63df0981fa01945f9c24046201aca6ec5c355215617c48ca391beeddac83382c
Instruction Fuzzy Hash: 3DA12532A001449FEF19AF68D891BAE7BA2AB0A321F14015DFC159F392DB31DD17CB95

Function 0061344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00613A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E1418,?,00612E7F,?,?,?,00000000), ref: 00613A78

Part of subcall function 00613357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00613379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0061356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006531CE
RegCloseKey.ADVAPI32(?), ref: 00653210
_wcslen.LIBCMT ref: 00653277
_wcslen.LIBCMT ref: 00653286

Strings

Include, xrefs: 00653184, 006531C5
Software\AutoIt v3\AutoIt, xrefs: 00613560
\Include\, xrefs: 00613527
\, xrefs: 0065328C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4e1ecab3ec4a98a7ccad919c81c14115b0ff9e849b8b07e9ca28c6aaf60ced8e
Instruction ID: 43c0b902c0661398e0ec93eaa901618b4d2447e46235c895bf3b6665a43dc0cb
Opcode Fuzzy Hash: 4e1ecab3ec4a98a7ccad919c81c14115b0ff9e849b8b07e9ca28c6aaf60ced8e
Instruction Fuzzy Hash: 8C71A1714043529EC314EF65DC928ABBBEBFF85750F44182DF5458B260DB709A88CFA5

Function 00612B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00612B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00612B9D
LoadIconW.USER32(00000063), ref: 00612BB3
LoadIconW.USER32(000000A4), ref: 00612BC5
LoadIconW.USER32(000000A2), ref: 00612BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00612BEF
RegisterClassExW.USER32(?), ref: 00612C40

Part of subcall function 00612CD4: GetSysColorBrush.USER32(0000000F), ref: 00612D07
Part of subcall function 00612CD4: RegisterClassExW.USER32(00000030), ref: 00612D31
Part of subcall function 00612CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00612D42
Part of subcall function 00612CD4: InitCommonControlsEx.COMCTL32(?), ref: 00612D5F
Part of subcall function 00612CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00612D6F
Part of subcall function 00612CD4: LoadIconW.USER32(000000A9), ref: 00612D85
Part of subcall function 00612CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00612D94

Strings

#, xrefs: 00612C16
AutoIt v3, xrefs: 00612C2F
0, xrefs: 00612C0F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ef428cafb2fe547dbb3215e7ae781eed3f184a49af9bc970739f24acfc83b581
Instruction ID: bc6acc6e2357598220855631bf28734d1019891b9d6dc5e741979528d356b53a
Opcode Fuzzy Hash: ef428cafb2fe547dbb3215e7ae781eed3f184a49af9bc970739f24acfc83b581
Instruction Fuzzy Hash: 9F212F74E00354AFDB109F95EC95A9DBFB6FB4AB50F04101AF500AE7A0D7B15A40EF94

Function 00613170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0061316A,?,?), ref: 006131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0061316A,?,?), ref: 00613204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00613227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0061316A,?,?), ref: 00613232
CreatePopupMenu.USER32 ref: 00613246
PostQuitMessage.USER32(00000000), ref: 00613267

Strings

TaskbarCreated, xrefs: 0061322D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c213541b2c0ae94427650d672c5f5491f6df6bd3509cd0bb0c16f9e28391b1fd
Instruction ID: 904c5d3af1e124132641cc7a34f64d322fc6bc0c2950724f3953aeb86ca48af3
Opcode Fuzzy Hash: c213541b2c0ae94427650d672c5f5491f6df6bd3509cd0bb0c16f9e28391b1fd
Instruction Fuzzy Hash: DB411931240364ABDB146B789D6E7F93A6BE707350F0C1129F9038E3A1C7719BC1A765

Function 00611410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00611459
CoUninitialize.COMBASE ref: 006114F8
UnregisterHotKey.USER32(?), ref: 006116DD
DestroyWindow.USER32(?), ref: 006524B9
FreeLibrary.KERNEL32(?), ref: 0065251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0065254B

Strings

close all, xrefs: 00611454

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 11c9e3a1325fd6d0b269d1da3be892aefd5444b652dd9c0af0de7596ff604a19
Instruction ID: 14077332ae00857f8a5bf6bdb88f23f982e708be5987d9dc0922d4251427a388
Opcode Fuzzy Hash: 11c9e3a1325fd6d0b269d1da3be892aefd5444b652dd9c0af0de7596ff604a19
Instruction Fuzzy Hash: 58D1AE31701222CFCB19EF14C4A5AA9F7A2BF06711F1842ADE94AAB351DB30ED56CF54

Function 00612C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00612C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00612CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00611CAD,?), ref: 00612CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00611CAD,?), ref: 00612CCF

Strings

edit, xrefs: 00612CAC
AutoIt v3, xrefs: 00612C89, 00612C8E, 00612C8F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e9d936fee9b2f33dcbb350669200efd131be982a0d1973d8b8c126ffcc21c86d
Instruction ID: cd732dc860b6f4f1f9834812642f571a4bd65c82e267301447d7450020f6eaeb
Opcode Fuzzy Hash: e9d936fee9b2f33dcbb350669200efd131be982a0d1973d8b8c126ffcc21c86d
Instruction Fuzzy Hash: D3F0B7755403D07AEB211B17AC88E772EBED7C7F60B01205AF900EA5A0C6715851EEB0

Function 00613B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00613B0F,SwapMouseButtons,00000004,?), ref: 00613B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00613B0F,SwapMouseButtons,00000004,?), ref: 00613B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00613B0F,SwapMouseButtons,00000004,?), ref: 00613B83

Strings

Control Panel\Mouse, xrefs: 00613B3E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a7dbd835bf2436a0cba13d86220b9b341e4a6706991461aeaa4a0ac412908110
Instruction ID: 02518600f90328da0ae618251382dbb82be8fe51c21a469aa7cc1336be6472d0
Opcode Fuzzy Hash: a7dbd835bf2436a0cba13d86220b9b341e4a6706991461aeaa4a0ac412908110
Instruction Fuzzy Hash: 24112AB5514219FFDB208FA5DC44AEFB7B9EF25754B144459A806D7210E231AE809B60

Function 00613923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006533A2

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00613A04

Strings

Line: , xrefs: 006533EB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5882856f57102ac2c152cc1291f85e1f88ab3e2d854acc12288c2edf9bc2de38
Instruction ID: 3bb3bb412662d3a30d0b9bad99460a3a24f0fd458622e886bec1eb42cfbc0a61
Opcode Fuzzy Hash: 5882856f57102ac2c152cc1291f85e1f88ab3e2d854acc12288c2edf9bc2de38
Instruction Fuzzy Hash: 67312671408364AEC360EB10DC45BEFB7EAAF45710F08191EF49A97291EF709689C7C6

Function 00612DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00652C8C

Part of subcall function 00613AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00613A97,?,?,00612E7F,?,?,?,00000000), ref: 00613AC2

Part of subcall function 00612DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00612DC4

Strings

`em, xrefs: 00652C85
X, xrefs: 00652C5A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`em
API String ID: 779396738-2186216025
Opcode ID: fc03cc33913b62575c128e5884650e34c3042b6b63667cd35488667c6edc6497
Instruction ID: 8cb830df33f704d49326144914e86e99d6e4bd65d45e76d46ed270d623f3da17
Opcode Fuzzy Hash: fc03cc33913b62575c128e5884650e34c3042b6b63667cd35488667c6edc6497
Instruction Fuzzy Hash: 8121D570E002589FDB81EF94C845BEE7BFAAF49304F04805EF405AB341DBB45A898FA5

Function 0062FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00630668

Part of subcall function 006332A4: RaiseException.KERNEL32(?,?,?,0063068A,?,006E1444,?,?,?,?,?,?,0063068A,00611129,006D8738,00611129), ref: 00633304

__CxxThrowException@8.LIBVCRUNTIME ref: 00630685

Strings

Unknown exception, xrefs: 00630692

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3b03a79717f8d863728a2950969568d30b68f522b0197856f74997876e57fa49
Instruction ID: 1be6084a41996a1998e18e28e117b15c92076fdab05c2a06cce02613287f9c4f
Opcode Fuzzy Hash: 3b03a79717f8d863728a2950969568d30b68f522b0197856f74997876e57fa49
Instruction Fuzzy Hash: E4F0C23490020D77CB40BBA4E85AC9EBB7F5E01310F604539B824D6696EF71EB6ACAC4

Function 006110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00611BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00611BF4
Part of subcall function 00611BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00611BFC
Part of subcall function 00611BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00611C07
Part of subcall function 00611BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00611C12
Part of subcall function 00611BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00611C1A
Part of subcall function 00611BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00611C22

Part of subcall function 00611B4A: RegisterWindowMessageW.USER32(00000004,?,006112C4), ref: 00611BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0061136A
OleInitialize.OLE32 ref: 00611388
CloseHandle.KERNEL32(00000000,00000000), ref: 006524AB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 36f8fc9a70e8282a0f693218ca66b5347891c48c84094190555e186ba14e385a
Instruction ID: a512d26a6990181c9d5f953b65d88068e37ac44737355a43a7a6d0a8c35a0ef1
Opcode Fuzzy Hash: 36f8fc9a70e8282a0f693218ca66b5347891c48c84094190555e186ba14e385a
Instruction Fuzzy Hash: A071AFF49113C08EC784EF79A88569A3AE3BB8B350754A12ED01ACF3A1EB304485EF45

Function 0067C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00613923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00613A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0067C259
KillTimer.USER32(?,00000001,?,?), ref: 0067C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0067C270

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 40de549a3ce5494acbcb05398e453074f1c2ace3d92894cd4079602e9cde9058
Instruction ID: 3ae7b6d5b1b25f7ba1ef9501c20fdc3d13ab31dd5718ae7efffd22f143c91b97
Opcode Fuzzy Hash: 40de549a3ce5494acbcb05398e453074f1c2ace3d92894cd4079602e9cde9058
Instruction Fuzzy Hash: 5631B170904344AFEB22DB649895BE6BBEE9B07314F00449ED2AEA7242C7746A85CB51

Function 006486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006485CC,?,006D8CC8,0000000C), ref: 00648704
GetLastError.KERNEL32(?,006485CC,?,006D8CC8,0000000C), ref: 0064870E
__dosmaperr.LIBCMT ref: 00648739

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 0ab8a509f449ec22a92ac7f7e71ebc6115f109e8b3d8d24f340cf4889515ab7b
Instruction ID: a0c7082399f2356a573333e0d160cf717d1c4d8c3201b25b6e5c1280e26ca973
Opcode Fuzzy Hash: 0ab8a509f449ec22a92ac7f7e71ebc6115f109e8b3d8d24f340cf4889515ab7b
Instruction Fuzzy Hash: A1014E33A056702FDBE667346885BBE674B4B92774F3A011DFC158B2D3EEA0CC818194

Function 0061DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0061DB7B
DispatchMessageW.USER32(?), ref: 0061DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0061DB9F
Sleep.KERNELBASE(0000000A), ref: 0061DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00661CC9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3104dd1402f243cd3124529f8dbc55ba795e3b61941d36202e42d9f251531016
Instruction ID: ee55a9b1c0df9136bf70bf346358ae2e8d244320b42802be6318bf6293b757aa
Opcode Fuzzy Hash: 3104dd1402f243cd3124529f8dbc55ba795e3b61941d36202e42d9f251531016
Instruction Fuzzy Hash: ECF05E306443809BE730DB608C89FEA73BEEB86310F144919E61A871C0DB34A4889F25

Function 00621310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006217F6

Strings

CALL, xrefs: 006217C6

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 629d5ae0d46d8b7be5e9248cde224f5b362c85f7ccb12b65766458764410cc61
Instruction ID: cf551563694c67ba17d5a20fe0e0caf69697c8eb081d5083b1ea4c2915329b43
Opcode Fuzzy Hash: 629d5ae0d46d8b7be5e9248cde224f5b362c85f7ccb12b65766458764410cc61
Instruction Fuzzy Hash: FF22BAB06086119FC714DF14E490A6ABBF3BF96314F28896DF4969B3A1D731E841CF82

Function 00613837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00613908

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 490b2a60d8b343e99de5e17d0941e1d5907cd2a941326ca2e71f93d7dbc04175
Instruction ID: ffcce868f2a1300bdfff08da375e6e10349797cf953988d77b22bb19be903a88
Opcode Fuzzy Hash: 490b2a60d8b343e99de5e17d0941e1d5907cd2a941326ca2e71f93d7dbc04175
Instruction Fuzzy Hash: 0731C1706043118FD360DF24D8847D7BBE9FB4A718F04092EF99A8B340E771AA84CB52

Function 0062F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0062F661

Part of subcall function 0061D730: GetInputState.USER32 ref: 0061D807

Sleep.KERNEL32(00000000), ref: 0066F2DE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: cc36c5a8136662158121e21c82981ed673ad51e282ec993a9ed8374c2a5c3665
Instruction ID: a09d1cd82e0e9edbeb2b5f88b42a4797b446e165016f69ce7202855d6a760cf5
Opcode Fuzzy Hash: cc36c5a8136662158121e21c82981ed673ad51e282ec993a9ed8374c2a5c3665
Instruction Fuzzy Hash: 18F08C312406159FD350EF69E449BAAB7EAEF46760F004029E859C72A0EB70B840CF94

Function 00614ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00614E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00614EDD,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E9C
Part of subcall function 00614E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00614EAE
Part of subcall function 00614E90: FreeLibrary.KERNEL32(00000000,?,?,00614EDD,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614EFD

Part of subcall function 00614E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00653CDE,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E62
Part of subcall function 00614E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00614E74
Part of subcall function 00614E59: FreeLibrary.KERNEL32(00000000,?,?,00653CDE,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E87

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6809dabb91483d813078a1d72f94f84f3e0497acc901290a116cb05fb3d56fed
Instruction ID: c1c5f186ad378ec6399d4d2abd0770fb566394bfa3172d8bc25b21dae583763a
Opcode Fuzzy Hash: 6809dabb91483d813078a1d72f94f84f3e0497acc901290a116cb05fb3d56fed
Instruction Fuzzy Hash: 3411C431600205AECB54FB60D802BED77A79F80B11F14442DF542AB2C1DE719A86DB58

Function 00648402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00648440

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 164470181fda6c1f15e6a188c238a0d886e63b2fbf92542c359440dd321daece
Instruction ID: a05afe1dcaf2b181cf058d648466c16251d052e5e7684ec980f10303fb395daf
Opcode Fuzzy Hash: 164470181fda6c1f15e6a188c238a0d886e63b2fbf92542c359440dd321daece
Instruction Fuzzy Hash: 4A11187590420AAFCB05DF58E9419DE7BF5EF48314F144059FC08AB352DA31DA11CBA5

Function 00645000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00644C7D: RtlAllocateHeap.NTDLL(00000008,00611129,00000000,?,00642E29,00000001,00000364,?,?,?,0063F2DE,00643863,006E1444,?,0062FDF5,?), ref: 00644CBE

_free.LIBCMT ref: 0064506C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 040b89594dbe40de194ddbc1441f97ada69d57dba56ba82cfd1063752191d7f9
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BD0149762047056BE3318F65D881A9AFBEEFB89370F65051DF185832C1EA30A805C7B4

Function 0063E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a1aa51591b0e618e931aae5236f393464b4bcda623efbeb948b7d0d290ade30d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6CF0F432510A149AD7713A6A9C06B9A339B9F63335F10071DF820932D2CB75D80286FD

Function 00644C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00611129,00000000,?,00642E29,00000001,00000364,?,?,?,0063F2DE,00643863,006E1444,?,0062FDF5,?), ref: 00644CBE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30644fac1ca0b66f663b5a4372649b5e52e68dc1820293f081e940229e3c0fd1
Instruction ID: 371d22a474658ffddce5ed0c89f6856b5422537615bdd36add5576e042039930
Opcode Fuzzy Hash: 30644fac1ca0b66f663b5a4372649b5e52e68dc1820293f081e940229e3c0fd1
Instruction Fuzzy Hash: 47F0E931602224A7DB215F62AC87B9B778BBF417B1F1C4115BC15AA380CE30EC0156E0

Function 00643820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6,?,00611129), ref: 00643852

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0790b23c5507c81276198047cc6a8da7cf362ba96cb3123ec441eb6f266221c0
Instruction ID: 47c8418974da23cff67d77aa014f267bb83dd63393251de831a1326ca92f40d6
Opcode Fuzzy Hash: 0790b23c5507c81276198047cc6a8da7cf362ba96cb3123ec441eb6f266221c0
Instruction Fuzzy Hash: E6E0E5311002349ED72126A79C00BDBF64BAF827B0F050024BC1596780DB21EE0186E4

Function 00614F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614F6D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d6cb8e0b8211625f1d11da119dce3824bae257450765675b11010bc44ccd5e21
Instruction ID: 6616da2b7c8a1bc8079dbb37c8e6679c6c552522e3a0b67f3869df9e96fd6e14
Opcode Fuzzy Hash: d6cb8e0b8211625f1d11da119dce3824bae257450765675b11010bc44ccd5e21
Instruction Fuzzy Hash: BBF0A070105341CFCB349F20D490892B7E2EF41329318C97EE1DA87710CB319885DF10

Function 006A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006A2A66

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fb91068c6d813bcab6e51bd049f3369a55100a6167962314ef9cc3cc9aeb5133
Instruction ID: 945ec27d24cb8c0597c59c24b416f81eec7b7d215a6bef58d0a529e42a1f259c
Opcode Fuzzy Hash: fb91068c6d813bcab6e51bd049f3369a55100a6167962314ef9cc3cc9aeb5133
Instruction Fuzzy Hash: 78E0D8313801166EC750FA34DC905F9734DDB11390700453AAD1AC2100DF309D528AA4

Function 006130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0061314E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 899e244aa668221562c2e3ab760f08eef59c8fe8352a9a1ddb3a544ffcbdfc6a
Instruction ID: de86dd6d8eaf7a7e21f3a68d2624a7adef5e9da8d6b458b6c22856f4b2466c72
Opcode Fuzzy Hash: 899e244aa668221562c2e3ab760f08eef59c8fe8352a9a1ddb3a544ffcbdfc6a
Instruction Fuzzy Hash: C0F0A7709103589FE752DB24DC867D57BFDA702708F0000E9A1489A281D77057C8CF41

Function 00612DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00612DC4

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4f3f6e2dee2c26fc4c6a45c53976f7b997da1c9bc2c517a5db4b7bec357160e8
Instruction ID: 236178875da0209486ad015b2d96dca67541286532e6f3cd8bd1f3c3532dd843
Opcode Fuzzy Hash: 4f3f6e2dee2c26fc4c6a45c53976f7b997da1c9bc2c517a5db4b7bec357160e8
Instruction Fuzzy Hash: F7E0CD766041245BC710A258DC05FEA77DEDFC9790F054075FD09D7248D960AD848554

Function 00612B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00613837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00613908

Part of subcall function 0061D730: GetInputState.USER32 ref: 0061D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00612B6B

Part of subcall function 006130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0061314E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f9bb01298e2eb87f30ea51dac1af8b815778fc1c8275c512b076765ce1313dc8
Instruction ID: e2a374a5da79f63e3324bc5086b642a50a7616621e811465f3a0b559ecd1d956
Opcode Fuzzy Hash: f9bb01298e2eb87f30ea51dac1af8b815778fc1c8275c512b076765ce1313dc8
Instruction Fuzzy Hash: B9E0263130429407CB88BB30A8624EDA79B8FD2311F08143EF1434B3A2CE2089C5435A

Function 0065039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00650704,?,?,00000000,?,00650704,00000000,0000000C), ref: 006503B7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac60faa2f3f05cc500321e2eae6deddcea1242821ec5ccf5a5df79559f242fbf
Instruction ID: c8d6d2a15714d1bb9d6277d2347d69185c8db87fdbf31ced38966efa4fbad25e
Opcode Fuzzy Hash: ac60faa2f3f05cc500321e2eae6deddcea1242821ec5ccf5a5df79559f242fbf
Instruction Fuzzy Hash: 1AD06C3214010DBBDF029F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00611CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00611CBC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 224d2077d56b7478ca04e3080295a0950306f530d52447404bc18816df6b7a5e
Instruction ID: b01a899218cc7bae793349ac50857bcb11e813ada40556fc627aea7075f4d879
Opcode Fuzzy Hash: 224d2077d56b7478ca04e3080295a0950306f530d52447404bc18816df6b7a5e
Instruction Fuzzy Hash: CAC09B352803459FF3145780BD9AF107757A749B10F445001F6095D5E3C7B12830EA50

Non-executed Functions

Function 006A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006A96C9
SendMessageW.USER32 ref: 006A96F2
GetKeyState.USER32(00000011), ref: 006A978B
GetKeyState.USER32(00000009), ref: 006A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006A97AE
GetKeyState.USER32(00000010), ref: 006A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006A97E9
SendMessageW.USER32 ref: 006A9810
SendMessageW.USER32(?,00001030,?,006A7E95), ref: 006A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006A9941
SetCapture.USER32(?), ref: 006A994A
ClientToScreen.USER32(?,?), ref: 006A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A99D6
ReleaseCapture.USER32 ref: 006A99E1
GetCursorPos.USER32(?), ref: 006A9A19
ScreenToClient.USER32(?,?), ref: 006A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 006A9A80
SendMessageW.USER32 ref: 006A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 006A9AEB
SendMessageW.USER32 ref: 006A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006A9B4A
GetCursorPos.USER32(?), ref: 006A9B68
ScreenToClient.USER32(?,?), ref: 006A9B75
GetParent.USER32(?), ref: 006A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 006A9BFA
SendMessageW.USER32 ref: 006A9C2B
ClientToScreen.USER32(?,?), ref: 006A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 006A9CDE
SendMessageW.USER32 ref: 006A9D01
ClientToScreen.USER32(?,?), ref: 006A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006A9D82

Part of subcall function 00629944: GetWindowLongW.USER32(?,000000EB), ref: 00629952

GetWindowLongW.USER32(?,000000F0), ref: 006A9E05

Strings

p#n, xrefs: 006A9990
F, xrefs: 006A9D07
@GUI_DRAGID, xrefs: 006A997D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#n
API String ID: 3429851547-1090767314
Opcode ID: 4e0fe8fac5fd9d978ffbb28fad7ec796fb04610a7d744fcd75d659c940131df3
Instruction ID: 65868cc77ddeb24c867854d4307cbbb775d4d0670e3f5184cb65835d5b3f5388
Opcode Fuzzy Hash: 4e0fe8fac5fd9d978ffbb28fad7ec796fb04610a7d744fcd75d659c940131df3
Instruction Fuzzy Hash: 04426E34604241AFE725EF24CC84AAABBE6FF4A320F24161DF6558B2A1D731EC51DF61

Function 006A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 006A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 006A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 006A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 006A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 006A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 006A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006A4A7E
IsMenu.USER32(?), ref: 006A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006A4B20
GetWindowLongW.USER32(?,000000F0), ref: 006A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 006A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 006A4C82
wsprintfW.USER32 ref: 006A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 006A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 006A4D5A

Strings

%d/%02d/%02d, xrefs: 006A4CA8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d1c979b8f52c7ff183c8cc8d84487a686550ffb019770224fe03c00273c4846e
Instruction ID: 2535a582ad58f21c4d6bf2c5d6c0ececc62b584e5f0a8b94f8b9f710452ef639
Opcode Fuzzy Hash: d1c979b8f52c7ff183c8cc8d84487a686550ffb019770224fe03c00273c4846e
Instruction Fuzzy Hash: 1612D171500214ABEB25AF28DC49FEE7BFAAF86310F105129F516EA291DFB49D41CF50

Function 0062F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0062F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066F474
IsIconic.USER32(00000000), ref: 0066F47D
ShowWindow.USER32(00000000,00000009), ref: 0066F48A
SetForegroundWindow.USER32(00000000), ref: 0066F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0066F4AA
GetCurrentThreadId.KERNEL32 ref: 0066F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0066F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0066F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0066F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0066F4DE
SetForegroundWindow.USER32(00000000), ref: 0066F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066F4F6
keybd_event.USER32(00000012,00000000), ref: 0066F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066F50B
keybd_event.USER32(00000012,00000000), ref: 0066F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066F519
keybd_event.USER32(00000012,00000000), ref: 0066F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066F528
keybd_event.USER32(00000012,00000000), ref: 0066F52D
SetForegroundWindow.USER32(00000000), ref: 0066F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0066F557

Strings

Shell_TrayWnd, xrefs: 0066F46F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6fe8b455c2c3a980b8a531a65de88a8aa01438903d3efca06447ce79d5129dbd
Instruction ID: fbb3537aa317c275ddbb1efbd5727ee62fe39c80d0e4e75bf89510fba27a5d0d
Opcode Fuzzy Hash: 6fe8b455c2c3a980b8a531a65de88a8aa01438903d3efca06447ce79d5129dbd
Instruction Fuzzy Hash: 08315471E40218BFEB207BB55C4AFBF7EAEEB45B60F101065F601E61D1CAB16D10AE60

Function 00671201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067170D
Part of subcall function 006716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0067173A
Part of subcall function 006716C3: GetLastError.KERNEL32 ref: 0067174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00671286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006712A8
CloseHandle.KERNEL32(?), ref: 006712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006712D1
GetProcessWindowStation.USER32 ref: 006712EA
SetProcessWindowStation.USER32(00000000), ref: 006712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00671310

Part of subcall function 006710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006711FC), ref: 006710D4
Part of subcall function 006710BF: CloseHandle.KERNEL32(?,?,006711FC), ref: 006710E9

Strings

Zm, xrefs: 00671392
default, xrefs: 0067130B
, xrefs: 0067125A
winsta0, xrefs: 006712CC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zm
API String ID: 22674027-3234400889
Opcode ID: 94ebbcc5bdc3d4609ebafaada72d6602d38b7b0d790b1f2b2381358043e62a27
Instruction ID: 7df85db93dfdfc9490a960e87a600851d139c193b2c7618186ae12950c76a296
Opcode Fuzzy Hash: 94ebbcc5bdc3d4609ebafaada72d6602d38b7b0d790b1f2b2381358043e62a27
Instruction Fuzzy Hash: 31819171900209AFDF219FA8DC49FEE7BFAEF06714F14912AF915AA290D7319944CF60

Function 00670B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00671114
Part of subcall function 006710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671120
Part of subcall function 006710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 0067112F
Part of subcall function 006710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671136
Part of subcall function 006710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00670BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00670C00
GetLengthSid.ADVAPI32(?), ref: 00670C17
GetAce.ADVAPI32(?,00000000,?), ref: 00670C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00670C6D
GetLengthSid.ADVAPI32(?), ref: 00670C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00670C8C
HeapAlloc.KERNEL32(00000000), ref: 00670C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00670CB4
CopySid.ADVAPI32(00000000), ref: 00670CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00670CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00670D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00670D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670D45
HeapFree.KERNEL32(00000000), ref: 00670D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670D55
HeapFree.KERNEL32(00000000), ref: 00670D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670D65
HeapFree.KERNEL32(00000000), ref: 00670D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00670D78
HeapFree.KERNEL32(00000000), ref: 00670D7F

Part of subcall function 00671193: GetProcessHeap.KERNEL32(00000008,00670BB1,?,00000000,?,00670BB1,?), ref: 006711A1
Part of subcall function 00671193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00670BB1,?), ref: 006711A8
Part of subcall function 00671193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00670BB1,?), ref: 006711B7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7e149ec1e1c43b9618cc25e1d7529c7e11c8977cbdaef719aa4d9556642539df
Instruction ID: 0da17dd92949ca409b526e377a95884ff3f57158ff72eae8b0336342c457dd66
Opcode Fuzzy Hash: 7e149ec1e1c43b9618cc25e1d7529c7e11c8977cbdaef719aa4d9556642539df
Instruction Fuzzy Hash: 36713C75A0020AEBEF10DFA4DC44BEEBBBABF09310F148515E919A6291D771A905CF70

Function 0068EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006ACC08), ref: 0068EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0068EB37
GetClipboardData.USER32(0000000D), ref: 0068EB43
CloseClipboard.USER32 ref: 0068EB4F
GlobalLock.KERNEL32(00000000), ref: 0068EB87
CloseClipboard.USER32 ref: 0068EB91
GlobalUnlock.KERNEL32(00000000), ref: 0068EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0068EBC9
GetClipboardData.USER32(00000001), ref: 0068EBD1
GlobalLock.KERNEL32(00000000), ref: 0068EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0068EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0068EC38
GetClipboardData.USER32(0000000F), ref: 0068EC44
GlobalLock.KERNEL32(00000000), ref: 0068EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0068EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0068EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0068ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0068ECF3
CountClipboardFormats.USER32 ref: 0068ED14
CloseClipboard.USER32 ref: 0068ED59

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3615533f2b1e9a10bf4550c22f4d97d314e2f5e6168f81e183348cb9511b196c
Instruction ID: 7900daeacb2c4d28199b913575e9b4a693207db77d9600af1682fc82e1dd46b7
Opcode Fuzzy Hash: 3615533f2b1e9a10bf4550c22f4d97d314e2f5e6168f81e183348cb9511b196c
Instruction Fuzzy Hash: A261B0342042019FD310FF24D894FAA77E6EF85714F18561DF456973A1DB32E94ACB62

Function 0068698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006869BE
FindClose.KERNEL32(00000000), ref: 00686A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00686A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00686A75

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00686AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00686ADF

Strings

%02d, xrefs: 00686C00, 00686C0A, 00686C5A, 00686CAA, 00686CFA, 00686D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00686B32
%4d%02d%02d%02d%02d%02d, xrefs: 00686B6A
%03d, xrefs: 00686DA2
%4d, xrefs: 00686BB1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9afc46f115113e0846b8b401b4bc635f741eb38d8bc6b9fb127c4aef1ba8876a
Instruction ID: 71857c3bea1b615e322e627b1d88ab9394eaf29ab893c32ad41cbf6d2b226080
Opcode Fuzzy Hash: 9afc46f115113e0846b8b401b4bc635f741eb38d8bc6b9fb127c4aef1ba8876a
Instruction Fuzzy Hash: 63D15DB2508300AEC354EBA4D891EABB7FEAF88704F04491DF585D7291EB74DA44CB62

Function 00689642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00689663
GetFileAttributesW.KERNEL32(?), ref: 006896A1
SetFileAttributesW.KERNEL32(?,?), ref: 006896BB
FindNextFileW.KERNEL32(00000000,?), ref: 006896D3
FindClose.KERNEL32(00000000), ref: 006896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0068974A
SetCurrentDirectoryW.KERNEL32(006D6B7C), ref: 00689768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00689772
FindClose.KERNEL32(00000000), ref: 0068977F
FindClose.KERNEL32(00000000), ref: 0068978F

Strings

*.*, xrefs: 006896F5

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: be89485c1c689a40c17a3f6bb955e6263372af741263c4d94b02227c01e352ac
Instruction ID: 265d1199c08d87e449951205b683541b854ea7f98bb9473a97be8bdf8b58e4af
Opcode Fuzzy Hash: be89485c1c689a40c17a3f6bb955e6263372af741263c4d94b02227c01e352ac
Instruction Fuzzy Hash: 4B31A3325402196EDF14BFB4DC49AEE77AE9F4A320F184256F915E2290EB30DE848F64

Function 0068979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00689819
FindClose.KERNEL32(00000000), ref: 00689824
FindFirstFileW.KERNEL32(*.*,?), ref: 00689840
SetCurrentDirectoryW.KERNEL32(?), ref: 00689890
SetCurrentDirectoryW.KERNEL32(006D6B7C), ref: 006898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006898B8
FindClose.KERNEL32(00000000), ref: 006898C5
FindClose.KERNEL32(00000000), ref: 006898D5

Part of subcall function 0067DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0067DB00

Strings

*.*, xrefs: 0068983B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6b0c863758c48bcc2918506cebec50ff648399757bf1b059245f92f95bfcf294
Instruction ID: 842ee69234ffb07854b733d98353df34fdd453872c16249b3680669536d3fd38
Opcode Fuzzy Hash: 6b0c863758c48bcc2918506cebec50ff648399757bf1b059245f92f95bfcf294
Instruction Fuzzy Hash: 0B31A37190061A6EDF10BFB4DC48AEE77AE9F06334F184656F815A3290DB30DE458F64

Function 0069BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0069C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069B6AE,?,?), ref: 0069C9B5
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069C9F1
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA68
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0069BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0069BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0069C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0069C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0069C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0069C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0069C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0069C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0069C382
RegCloseKey.ADVAPI32(00000000), ref: 0069C38F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 65ae6cf68836062e5c0019c66d94705d2f9c23c01112402ea1584fe78ce22007
Instruction ID: b4f4a104610f7e2f3e95e1f549c4e58286ec8399ae0dd85fcbcca3cca14d70fa
Opcode Fuzzy Hash: 65ae6cf68836062e5c0019c66d94705d2f9c23c01112402ea1584fe78ce22007
Instruction Fuzzy Hash: DE025E716042009FDB54DF24C891E6ABBEAEF89314F18849DF44ACB7A2DB31ED45CB51

Function 00688195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00688257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00688267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00688273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00688310
SetCurrentDirectoryW.KERNEL32(?), ref: 00688324
SetCurrentDirectoryW.KERNEL32(?), ref: 00688356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0068838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00688395

Strings

*.*, xrefs: 0068839B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f33681569e5112176011bef6716daf098d7be2a31e58eadb6e83614b30cac03f
Instruction ID: a6d8e31352b372c513509f39d7e540800e52550c0275145df8ccc78f44cdb4a1
Opcode Fuzzy Hash: f33681569e5112176011bef6716daf098d7be2a31e58eadb6e83614b30cac03f
Instruction Fuzzy Hash: A2617B725043459FCB50EF64C8449AEB3EAFF89320F44891EF989C7251EB31EA45CB96

Function 0067D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00613AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00613A97,?,?,00612E7F,?,?,?,00000000), ref: 00613AC2

Part of subcall function 0067E199: GetFileAttributesW.KERNEL32(?,0067CF95), ref: 0067E19A

FindFirstFileW.KERNEL32(?,?), ref: 0067D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0067D1DD
MoveFileW.KERNEL32(?,?), ref: 0067D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0067D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0067D237

Part of subcall function 0067D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0067D21C,?,?), ref: 0067D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0067D253
FindClose.KERNEL32(00000000), ref: 0067D264

Strings

\*.*, xrefs: 0067D0CD, 0067D0D6, 0067D0EB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 79e806e16795cb016ce33582f37e77195bfcca34c4337b02884cdbee45445730
Instruction ID: 389e47af2992772e5f4545004dee4f5d6913391594770011971436dea44b9249
Opcode Fuzzy Hash: 79e806e16795cb016ce33582f37e77195bfcca34c4337b02884cdbee45445730
Instruction Fuzzy Hash: 2661AE3180114D9FCF45EBE0C9929EDB7B7AF15300F288469E51A73292EB316F4ADB64

Function 0068ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0068ED91
EmptyClipboard.USER32 ref: 0068ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0068EDAC
CloseClipboard.USER32 ref: 0068EEA3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 61246feabba2d6296f35098039227b1bac09b79bedc5afafeb8648d0e5a6fe5b
Instruction ID: 5c4401664cd5561e6bd26220404a4c74e6f20cb2ef70b5e032a941901adf18b5
Opcode Fuzzy Hash: 61246feabba2d6296f35098039227b1bac09b79bedc5afafeb8648d0e5a6fe5b
Instruction Fuzzy Hash: B741AD35204611AFE720EF15D888B59BBE2EF45328F14D199E4158B7A2C736FD42CF90

Function 0067E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067170D
Part of subcall function 006716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0067173A
Part of subcall function 006716C3: GetLastError.KERNEL32 ref: 0067174A

ExitWindowsEx.USER32(?,00000000), ref: 0067E932

Strings

, xrefs: 0067E920
@, xrefs: 0067E925
SeShutdownPrivilege, xrefs: 0067E902
, xrefs: 0067E95C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6c35691d76afd3d3dd4b37e394d57ed4e5824a28400d8b849f1edcc9fb74a65c
Instruction ID: 622d1dc0998892aad8e00beb6819ab0561c3a46e23029971ee9c04da7a17a0ba
Opcode Fuzzy Hash: 6c35691d76afd3d3dd4b37e394d57ed4e5824a28400d8b849f1edcc9fb74a65c
Instruction Fuzzy Hash: 5A019E33610210AFEB5432749C85FFF325E9708350F048462FE0BE21D1E6626C4482D4

Function 00691204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00691276
WSAGetLastError.WSOCK32 ref: 00691283
bind.WSOCK32(00000000,?,00000010), ref: 006912BA
WSAGetLastError.WSOCK32 ref: 006912C5
closesocket.WSOCK32(00000000), ref: 006912F4
listen.WSOCK32(00000000,00000005), ref: 00691303
WSAGetLastError.WSOCK32 ref: 0069130D
closesocket.WSOCK32(00000000), ref: 0069133C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 62f8fee5a4bd6ed08f7f2a3e0eb112b093b630aa4beffdf24f846fae36912fa7
Instruction ID: 18bf8ad174998f7a9b060a6ce865af35897043ab161b27bc27f5e0a817c2548c
Opcode Fuzzy Hash: 62f8fee5a4bd6ed08f7f2a3e0eb112b093b630aa4beffdf24f846fae36912fa7
Instruction Fuzzy Hash: 804181316001019FDB10EF24C494B69BBE7BF47324F288188D8568F796C775ED82CBA1

Function 0067D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00613AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00613A97,?,?,00612E7F,?,?,?,00000000), ref: 00613AC2

Part of subcall function 0067E199: GetFileAttributesW.KERNEL32(?,0067CF95), ref: 0067E19A

FindFirstFileW.KERNEL32(?,?), ref: 0067D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0067D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0067D481
FindClose.KERNEL32(00000000), ref: 0067D498
FindClose.KERNEL32(00000000), ref: 0067D4A1

Strings

\*.*, xrefs: 0067D3F2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b4e2d4d772533bac8b7d0e38d87513e0a6c380f5614075f86c651cc5233f1527
Instruction ID: f491d4c81deb6887cf707b272f796c0aabba6d68c2c5efbbbb9c5eb2fc87378b
Opcode Fuzzy Hash: b4e2d4d772533bac8b7d0e38d87513e0a6c380f5614075f86c651cc5233f1527
Instruction Fuzzy Hash: 6D3170710183819FC344EF64C8559EFB7EAAE92310F488E1DF4D552291EB30AA49DB67

Function 0064E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0064E645

Strings

1#INF, xrefs: 0064F852
1#SNAN, xrefs: 0064F844
1#QNAN, xrefs: 0064F84B
1#IND, xrefs: 0064F83D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0a6008da05ffa76c77625824c3c650583b4d0b1a840868875a2ceb17dfc0866a
Instruction ID: de860a9c6224dce56d9af4d1b5b3ac231d1c622b64ad751ce4c78f7549728da4
Opcode Fuzzy Hash: 0a6008da05ffa76c77625824c3c650583b4d0b1a840868875a2ceb17dfc0866a
Instruction Fuzzy Hash: 90C23872E046288FDB65CF289D407EAB7B6FB49304F1541EAD84DE7241E779AE818F40

Function 0068648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006864DC
CoInitialize.OLE32(00000000), ref: 00686639
CoCreateInstance.OLE32(006AFCF8,00000000,00000001,006AFB68,?), ref: 00686650
CoUninitialize.OLE32 ref: 006868D4

Strings

.lnk, xrefs: 006864BA, 00686524, 006865E0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d94a90beb8a5238bc592982d08b2c4f00967ed31a654f8e40c9ab5f6802ed7b3
Instruction ID: 279e35ed5197a15041efb86ceb2d42f5415280b930715c98c8a26eb0c8b80cd2
Opcode Fuzzy Hash: d94a90beb8a5238bc592982d08b2c4f00967ed31a654f8e40c9ab5f6802ed7b3
Instruction Fuzzy Hash: 86D14A715083019FC344EF24C8919ABB7EAFF98704F04496DF5958B2A1EB70ED45CBA6

Function 006922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006922E8

Part of subcall function 0068E4EC: GetWindowRect.USER32(?,?), ref: 0068E504

GetDesktopWindow.USER32 ref: 00692312
GetWindowRect.USER32(00000000), ref: 00692319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00692355
GetCursorPos.USER32(?), ref: 00692381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006923DF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 33dd0920ce192cafcd6284131a9571015187921a795e08be54b55b5a1e2c57e5
Instruction ID: 7b677a6bf4849422e6dd8e5cf715ca2e2f6dafa2964e0b45f4921e5006a8c9c2
Opcode Fuzzy Hash: 33dd0920ce192cafcd6284131a9571015187921a795e08be54b55b5a1e2c57e5
Instruction Fuzzy Hash: 8131D072504316AFCB20DF14C849B9BB7AEFF89320F00191DF98997281DB35E909CB92

Function 00689B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00689B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00689C8B

Part of subcall function 00683874: GetInputState.USER32 ref: 006838CB
Part of subcall function 00683874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00683966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00689BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00689C75

Strings

*.*, xrefs: 00689B5D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 90f9392060614bd4c1c8effaac03e92554a4477e178186e742a9943ff3a42450
Instruction ID: c708f1177058a49a02a5d46d6c1d9ca3f40f2feb69e8d936876556f6d3473fdd
Opcode Fuzzy Hash: 90f9392060614bd4c1c8effaac03e92554a4477e178186e742a9943ff3a42450
Instruction Fuzzy Hash: DC41827194020AAFCF55EFA4C895AFE7BB6EF05310F18415AE805A3291EB319E84CF64

Function 0062997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00629A4E
GetSysColor.USER32(0000000F), ref: 00629B23
SetBkColor.GDI32(?,00000000), ref: 00629B36

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 1195e8540efd0dc595793e02209873d3ee84c97cdd13d45b7589805ed5c99f15
Instruction ID: 2b51dde15cf80b1bb0e801be72c08cb5fc9650d258fc0f6294361e39a98bf762
Opcode Fuzzy Hash: 1195e8540efd0dc595793e02209873d3ee84c97cdd13d45b7589805ed5c99f15
Instruction Fuzzy Hash: DFA12C70108A64AEE728AA3CAC98DFB3A9FDFC3354F14410DF502DA791CA259D42DE75

Function 00691806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0069304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0069307A
Part of subcall function 0069304E: _wcslen.LIBCMT ref: 0069309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0069185D
WSAGetLastError.WSOCK32 ref: 00691884
bind.WSOCK32(00000000,?,00000010), ref: 006918DB
WSAGetLastError.WSOCK32 ref: 006918E6
closesocket.WSOCK32(00000000), ref: 00691915

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 534fc6c4807d2b28cca843dcbebc4cd07038ee602b313c0e0614dd1f21f50965
Instruction ID: 9f0f8f923d8168025ca9f9ab9a8f49b2b0cc1a17d1c74d97d44f70959b335074
Opcode Fuzzy Hash: 534fc6c4807d2b28cca843dcbebc4cd07038ee602b313c0e0614dd1f21f50965
Instruction Fuzzy Hash: 2151C475A002109FEB10AF24C886F6A77EAAF45718F18809CF9155F3D3CB71ED428BA1

Function 006A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006A1CC0
IsWindowEnabled.USER32 ref: 006A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 006A1CDB
IsIconic.USER32 ref: 006A1CE9
IsZoomed.USER32 ref: 006A1CF7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 270a1b620ab258ee036daf55c49aeb3ef3269cd90e647883763236fdd4388f09
Instruction ID: 8d458b26b33d4be3e263c77e3234abd1ce3583bf668a78adad142ac8f24a682c
Opcode Fuzzy Hash: 270a1b620ab258ee036daf55c49aeb3ef3269cd90e647883763236fdd4388f09
Instruction Fuzzy Hash: 20217E317802115FD720AF2AC854BAA7BE6AF87324F199058E8468B352C775EC42CF94

Function 00618060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0061843C
VUUU, xrefs: 006183FA
VUUU, xrefs: 006183E8
ERCP, xrefs: 0061813C
VUUU, xrefs: 00655DF0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: eaabcc677fb5d4f2d272e0e46d9955a99e74de31e7be2126967639ed01c11eec
Instruction ID: f4e7c17b7b6a61200e539b8afdfaa11b6ea30d3e2c47b20dd641580732781ba4
Opcode Fuzzy Hash: eaabcc677fb5d4f2d272e0e46d9955a99e74de31e7be2126967639ed01c11eec
Instruction Fuzzy Hash: 63A25A71A0061ACFDF24CF58C8547EDB7B3AB54311F6881A9EC16A7385EB709E85CB90

Function 00678298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006782AA

Strings

|, xrefs: 006782DA
tbm, xrefs: 006784F4
(, xrefs: 006782F0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbm$|
API String ID: 1659193697-2284458720
Opcode ID: cecedcd6e9ba2c990c46eeee382d7ea876cc9ca68625c4ca166be8764c7535a0
Instruction ID: 5681588a3200c6fb403d3fb5c5d7f67731473e5fa68d546830c1e98c7e927cf2
Opcode Fuzzy Hash: cecedcd6e9ba2c990c46eeee382d7ea876cc9ca68625c4ca166be8764c7535a0
Instruction Fuzzy Hash: 97323674A007059FCB28CF69C0859AAB7F1FF48720B15C56EE49ADB7A1EB70E941CB44

Function 0067AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0067AAAC
SetKeyboardState.USER32(00000080), ref: 0067AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0067AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0067AB88

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac15c30ab3569aa2771324a2a4724077c44c43d56b250204f10314771829dffd
Instruction ID: 3a27d8f6730c7f54fffe6f49fef3a62ff237adb1775cbe084e49270cbe720a26
Opcode Fuzzy Hash: ac15c30ab3569aa2771324a2a4724077c44c43d56b250204f10314771829dffd
Instruction Fuzzy Hash: 5731F730A40208AFEB25CAA4C805BFE77A7AB85720F04C21AF189562D1D3749985C766

Function 0064BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0064BB7F

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

GetTimeZoneInformation.KERNEL32 ref: 0064BB91
WideCharToMultiByte.KERNEL32(00000000,?,006E121C,000000FF,?,0000003F,?,?), ref: 0064BC09
WideCharToMultiByte.KERNEL32(00000000,?,006E1270,000000FF,?,0000003F,?,?,?,006E121C,000000FF,?,0000003F,?,?), ref: 0064BC36

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 386c3a2f0d394f999572b8107344d33707e7b72f7714e0bb838c776d3aad2ebb
Instruction ID: db40177784df937f203a3443af5a7dc04c91ebc7d2a101a30a9e4066486ba3b1
Opcode Fuzzy Hash: 386c3a2f0d394f999572b8107344d33707e7b72f7714e0bb838c776d3aad2ebb
Instruction Fuzzy Hash: A331AE70904245DFCB11DF69CCC086DBBBAFF4671071466AAE150DF2A1DB319E81DB50

Function 0068CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0068CE89
GetLastError.KERNEL32(?,00000000), ref: 0068CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0068CEFE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 015560226ac9e9e47af08cb1f110d741009f63a742707c3856249397eacb0a26
Instruction ID: c6e965f7383e5b5a2c1e38b08e17c5b289ba14943fbba63bd047866bcbab4083
Opcode Fuzzy Hash: 015560226ac9e9e47af08cb1f110d741009f63a742707c3856249397eacb0a26
Instruction Fuzzy Hash: B821BDB1500305ABEB30EF65C948BA6B7FAEF40324F10451EE64692251EB74EE058BA4

Function 00685C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00685CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00685D17
FindClose.KERNEL32(?), ref: 00685D5F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e95b5466a1c0a1a2f9231ac377b7a48284ad49a94303fd2686384e56e03359be
Instruction ID: d9c9834a325b79d86e4cd6a8736b3f0ad9e69334f7672b9c03efadc23219f66d
Opcode Fuzzy Hash: e95b5466a1c0a1a2f9231ac377b7a48284ad49a94303fd2686384e56e03359be
Instruction Fuzzy Hash: B1519934604A019FC714EF28C494A9AB7E6FF49324F14865EE95A8B3A2CB30FD45CF95

Function 00642622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0064271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00642724
UnhandledExceptionFilter.KERNEL32(?), ref: 00642731

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5624558da54de14366bf9afa95d82e83bf963784578396c917c514f57e7ebfcf
Instruction ID: 38c1abe14a2f48afaab6a25cc3c41d0d46a3e7e5afbb1003d297a0b1884d3bc0
Opcode Fuzzy Hash: 5624558da54de14366bf9afa95d82e83bf963784578396c917c514f57e7ebfcf
Instruction Fuzzy Hash: AB31D47490121DABCB61DF68DD887DCBBB9AF08310F5041EAE80CA7261E7309F858F84

Function 006851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00685238
SetErrorMode.KERNEL32(00000000), ref: 006852A1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bec085fcf2a162128549147cc904f95b0a7f9dd894713d5dcb6d4e60ac0dacdb
Instruction ID: a7e305b563ea46d574e909da83648f4a04ee54f76a2211f408d660949315571a
Opcode Fuzzy Hash: bec085fcf2a162128549147cc904f95b0a7f9dd894713d5dcb6d4e60ac0dacdb
Instruction Fuzzy Hash: B0312C75A00518DFDB00EF54D894EEDBBB6FF49314F088099E905AB362DB31E956CB90

Function 006716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0062FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00630668
Part of subcall function 0062FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00630685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0067173A
GetLastError.KERNEL32 ref: 0067174A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f79c0531c16a5a6c5cf3b0cdcf014f9cc9cd9ec2241d834c27116a912b1768ce
Instruction ID: 2e493314c233e07100dc1092cab388907192dbeea07fcf897ed305977cf49bde
Opcode Fuzzy Hash: f79c0531c16a5a6c5cf3b0cdcf014f9cc9cd9ec2241d834c27116a912b1768ce
Instruction Fuzzy Hash: F11191B2404304AFD718AF54EC86D6AB7BEEF45724B20C52EE05657241EB70BC418F24

Function 0067D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0067D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0067D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0067D650

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 052a2513be6ce82a5f6dfeab201f5b585e01fbdb8422e9ce7a78989e97b02018
Instruction ID: fe286a280d53a6dc3400fc94e62f3723cfcb9c5bc68edd1e2df0544ac83cbcc0
Opcode Fuzzy Hash: 052a2513be6ce82a5f6dfeab201f5b585e01fbdb8422e9ce7a78989e97b02018
Instruction Fuzzy Hash: 82118E71E01228BFDB108F94DC44FAFBBBDEB45B60F108111F908E7290D6705A018BA1

Function 00671663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0067168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006716A1
FreeSid.ADVAPI32(?), ref: 006716B1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1e3c9e01d842d976ab8cec1501269b0837ff3b5c6de14ee10fa520792a670293
Instruction ID: f1bf234dd1d1b2a07ef6ebf534edce83b968fe46263e403eb710e9f35d837c64
Opcode Fuzzy Hash: 1e3c9e01d842d976ab8cec1501269b0837ff3b5c6de14ee10fa520792a670293
Instruction Fuzzy Hash: 54F0F47195030DFBDB00DFE49C89AAEBBBDEB08614F508565E501E2181E775AA448A50

Function 0066D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0066D28C

Strings

X64, xrefs: 0066D2A8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3cd62110ba6a563591f04945c3ff6d12765c541d040c79dd7caca6435553239d
Instruction ID: adc6ab8a3f68ce3c77e2854e2601bdbee28b19f9e52bf7a0df90c53f807bb2fb
Opcode Fuzzy Hash: 3cd62110ba6a563591f04945c3ff6d12765c541d040c79dd7caca6435553239d
Instruction Fuzzy Hash: 56D0CAB480116DEBCB90DBA0EC88DDAB3BDBB04305F100292F206A2000DB30A64A9F20

Function 0063CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3f13b8f8f14e4f85e8268d2b7cb35788e4f730b7d0501438cbb6e80ea876ec90
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 0A02FC72E002199BDF14CFA9C9806EDFBF2EF48324F258169E919F7384D731A9418B94

Function 0061CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#n, xrefs: 0061CF7F
Variable is not of type 'Object'., xrefs: 00660C40

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#n
API String ID: 0-4225366898
Opcode ID: ba6639cfabb9683fdfc37683df30f6bc11c029067965a0ac453a20db7c1d879c
Instruction ID: 532a57aa3b0af53b3d984cf918685e5d313f88d3ea7efe670c20033a31ae7c20
Opcode Fuzzy Hash: ba6639cfabb9683fdfc37683df30f6bc11c029067965a0ac453a20db7c1d879c
Instruction Fuzzy Hash: EC329C70940218DFDF14DF94D891AEEB7B7BF04314F188069E806AB392D775AE86CB61

Function 006868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00686918
FindClose.KERNEL32(00000000), ref: 00686961

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 572f665e08b49d2fe7669f6f24e7ddfc054239871abcdc909f0781f337f3f381
Instruction ID: b1135fcd2018d489af7b1e30b061c7378716845cb5a05d5026366d66d51ccaab
Opcode Fuzzy Hash: 572f665e08b49d2fe7669f6f24e7ddfc054239871abcdc909f0781f337f3f381
Instruction Fuzzy Hash: 231181316042019FC710DF29D484A56BBE6EF85328F14C69DF4698F7A2CB30EC45CB91

Function 006837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00694891,?,?,00000035,?), ref: 006837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00694891,?,?,00000035,?), ref: 006837F4

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ec2cad36d3e885ffb3f92ba4f5309a9a365881929c37765008a15c389991e686
Instruction ID: b0d2f005aff28564ac3e27b51bc818a98fb82f8b3fcdb62cbf7461c90093f6bd
Opcode Fuzzy Hash: ec2cad36d3e885ffb3f92ba4f5309a9a365881929c37765008a15c389991e686
Instruction Fuzzy Hash: 71F0E5B06043282AEB6027668C4DFEB7AAFEFC5B71F000275F509D2381D9609944CBB4

Function 0067B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0067B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0067B270

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b93420eeca50ef0e0f80ed16f00d75740d79fd0957b9201eaa17e827166d2df6
Instruction ID: 82c016b41c613726466db2f57f915f33f8743e099adc3256433ba0495715921e
Opcode Fuzzy Hash: b93420eeca50ef0e0f80ed16f00d75740d79fd0957b9201eaa17e827166d2df6
Instruction Fuzzy Hash: C7F0177180428EABDB059FA0C806BFE7BB5FF09319F00900AF965A61A2D379D6119F94

Function 006710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006711FC), ref: 006710D4
CloseHandle.KERNEL32(?,?,006711FC), ref: 006710E9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 686ae72ea6ea06caf2bc52fe480fa8aa861f65544894b7fd361bfb725b8084a1
Instruction ID: c199fda769478f7c73691c5b18da076fe3b44cee0ef628537f2c13775b1bc5c2
Opcode Fuzzy Hash: 686ae72ea6ea06caf2bc52fe480fa8aa861f65544894b7fd361bfb725b8084a1
Instruction Fuzzy Hash: 9CE04F32004A10BEE7252B11FC05E7377AAEF05320B10882EF4A6804B1DB626C90DF14

Function 0064676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00646766,?,?,00000008,?,?,0064FEFE,00000000), ref: 00646998

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1b692f1f35a2928e157c4db392a15c3523f2da99f2b13becbe4ac17ae5be63c3
Instruction ID: 6fbc93866c8a4ef44316fd0bd2d3d23de741dbfc41257b4c67a89165b2cd47c4
Opcode Fuzzy Hash: 1b692f1f35a2928e157c4db392a15c3523f2da99f2b13becbe4ac17ae5be63c3
Instruction Fuzzy Hash: 3AB15B316106099FD715CF28C486BA57BE2FF46364F258658F89ACF3A2C375E982CB41

Function 0062B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0066851F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: caebafe425144c145180d16e7f887c5b8c8ed60a42502fb9a285e4c0bd750356
Instruction ID: a0b263da95148cfd8c7e2fcb9a8ba54264b23a6e881397b42005101f78b56e27
Opcode Fuzzy Hash: caebafe425144c145180d16e7f887c5b8c8ed60a42502fb9a285e4c0bd750356
Instruction Fuzzy Hash: 99123C719006299FCB64DF68D8816EEB7F6FF48710F14819AE849EB255DB309E81CF90

Function 0068EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0068EABD

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 542d27c4385ac99576e1be57db5fda55b77a44a0a52485bd424a4b3c5f95ace2
Instruction ID: fd4786a02fff83283d59f54a2fba36c324d7dde34cfd3cc8a2692c0d4ef1497a
Opcode Fuzzy Hash: 542d27c4385ac99576e1be57db5fda55b77a44a0a52485bd424a4b3c5f95ace2
Instruction Fuzzy Hash: F3E04F312002049FC710EF59D804E9AF7EAAF99770F04841AFC49C7361DB71E8818B90

Function 006309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006303EE), ref: 006309DA

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 116a24a34f3b1ffb622cdeaac4cea74822aac84ead19111f9eb0a26fb5408e3b
Instruction ID: b9440e31e40d7c7517f279d6221d880d8d0e3a7ac31330d472503c7b152af65d
Opcode Fuzzy Hash: 116a24a34f3b1ffb622cdeaac4cea74822aac84ead19111f9eb0a26fb5408e3b
Instruction Fuzzy Hash:

Function 0063781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0063798B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 64352fb935587a16eee1bc974b165457f086c9eab5fe5354374f0101c8e7f2cd
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2B515CF160C7456BDB384568845E7FE63CB9B16340F180A2DE986D73C2C625DE42D3D9

Function 00682046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&n, xrefs: 00682053

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: 0&n
API String ID: 0-3003053049
Opcode ID: f77002993858406adaa4cb0635d8e54858d8b4ef3c00df8b776de073ca672fe3
Instruction ID: 7a384d9bcf6b97f9dd068d522b4e7247497121968ba266add6ae24b6f6acaf23
Opcode Fuzzy Hash: f77002993858406adaa4cb0635d8e54858d8b4ef3c00df8b776de073ca672fe3
Instruction Fuzzy Hash: 2A21EB326206118BDB28CF79C8636BE73EAA754310F14862EE4A7C73D0DE75A904C780

Function 0062CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c59a4b0f9290b41527b39cde4b870abb5bc01a58a1556d2fd4f4d250d77831
Instruction ID: 79ce5caa4ed5529809c56557d17ad3ed4c112e728a573018286766dad4d5a074
Opcode Fuzzy Hash: f4c59a4b0f9290b41527b39cde4b870abb5bc01a58a1556d2fd4f4d250d77831
Instruction Fuzzy Hash: FC32E331B009658BCF24CF69D8946BD7BA3EB45330F28856AD4DADB391D630DE82DB41

Function 00617920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff098fe4cc3bf9d8d48fb36ae4145c056dc4a1973c84a31b7a878a697b8d408
Instruction ID: 54d6f0f30da56d48c96c561766413070718fd26d9ffd565fe923fd7539b15ace
Opcode Fuzzy Hash: 6ff098fe4cc3bf9d8d48fb36ae4145c056dc4a1973c84a31b7a878a697b8d408
Instruction Fuzzy Hash: 2422CEB0A0460A9FDF04CFA4D895AEEB3F7FF44300F244529E816A7291EB35AE55CB54

Function 006191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dc08304d81ab36d5c0b154006f7940ac9c7b6f7056d86db10bee87f1a6c39e
Instruction ID: 565412197e5a399ec916518e7203497563e27a628e4931a3a947046d3adc10b4
Opcode Fuzzy Hash: a3dc08304d81ab36d5c0b154006f7940ac9c7b6f7056d86db10bee87f1a6c39e
Instruction Fuzzy Hash: C202E4B0E00219EBDF04DF64D981AAEB7B6FF44300F158169E8169B390EB31EE55CB95

Function 00649EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77640494e88d6496af3243f1c8fe8b43cad33b19957d6ead2aed0cd8e82420fc
Instruction ID: 07ef80d248cf6cc489ca350f4accbdc82a277042ce374511880c8d2512324afb
Opcode Fuzzy Hash: 77640494e88d6496af3243f1c8fe8b43cad33b19957d6ead2aed0cd8e82420fc
Instruction Fuzzy Hash: 32B1D260E2AF904DD72396398821337B69DAFBB6D5B91E71BFC1674E22EB2185C34140

Function 00631C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: f7d3db0050af72386476afb8a0eff5bfc03b040d15d9eff43fd8326615275cc7
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E49188726080A34ADB29463E85740BEFFE25E933A1B1A079DD4F2CF2C1FE24C955D660

Function 00631F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 189ad20ac4ee2f521b2850645ee7634a762eafa128f42c643e3f770ed5d5b8bb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 87919A726080A309D76D423E853407EFFE35A933A1B1A079DD4F2CF2C5EE24C558D6A0

Function 006319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 14e9a89765bf0ef1c1c3e484ac59435a9b4ef403fbfbb00fd8fb5cfdee041cd0
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: E79154726090E34ADB2D427A857407EFFE25A933A2B1A079DD4F3CE2C1FE14C665D660

Function 00637A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa6a1995194347a1c4b432bed78fb2b5543a693e70941c3b107020d1c3c9682
Instruction ID: 8bdd52cefba01ac88b596cdd4da662594f994ed69cd4607ef73db2638500fe78
Opcode Fuzzy Hash: ffa6a1995194347a1c4b432bed78fb2b5543a693e70941c3b107020d1c3c9682
Instruction Fuzzy Hash: 186159F160874A6ADA749E2C8D95BFEA3ABDF51700F14091DF843DB381D6119E42C3D9

Function 00637CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b309064dbb6cfeb34f839ac59eb53ca1f06969daa2e0b55b1b82b3ce5a2f4694
Instruction ID: fec81a7e81adcccab0f17a73c45edd8fc0058ac557159e83a677b9625ff4f482
Opcode Fuzzy Hash: b309064dbb6cfeb34f839ac59eb53ca1f06969daa2e0b55b1b82b3ce5a2f4694
Instruction Fuzzy Hash: 536169F160870966DE389A289896BFF239BDF42704F10095DF943DB381DA129D4283D9

Function 00631706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 99e01d75c6dba1aa37acc91a3151ac716141d78cd99ae4d0503645ad6eebd436
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CB8198325080A34ADB6D463A85341BEFFE35A933A1B1E079DD4F2CF2C1EE24C554D6A0

Function 00692ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00692B30
DeleteObject.GDI32(00000000), ref: 00692B43
DestroyWindow.USER32 ref: 00692B52
GetDesktopWindow.USER32 ref: 00692B6D
GetWindowRect.USER32(00000000), ref: 00692B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00692CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00692CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692CF8
GetClientRect.USER32(00000000,?), ref: 00692D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00692D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692D80
GlobalLock.KERNEL32(00000000), ref: 00692D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692D98
GlobalUnlock.KERNEL32(00000000), ref: 00692DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692DA8
GlobalFree.KERNEL32(00000000), ref: 00692DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,006AFC38,00000000), ref: 00692DDB
GlobalFree.KERNEL32(00000000), ref: 00692DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00692E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00692E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00692E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0069303F

Strings

, xrefs: 00692FC5
static, xrefs: 00692D3A, 00692E91
DISPLAY, xrefs: 00692EA2
AutoIt v3, xrefs: 00692CF2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 05cea106306897691146df33e72a3bd3b2628951010685d4b964d7bf63b338ce
Instruction ID: 07779757bd7678c3bbe4fa3cc08dc29e6c896a8a2d534b5aa3f01dd7d047912f
Opcode Fuzzy Hash: 05cea106306897691146df33e72a3bd3b2628951010685d4b964d7bf63b338ce
Instruction Fuzzy Hash: A3026C71A00205EFDB14DF64CC89EAE7BBAEF49720F049158F915AB2A1DB74AD41CF60

Function 006A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006A712F
GetSysColorBrush.USER32(0000000F), ref: 006A7160
GetSysColor.USER32(0000000F), ref: 006A716C
SetBkColor.GDI32(?,000000FF), ref: 006A7186
SelectObject.GDI32(?,?), ref: 006A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 006A71C0
GetSysColor.USER32(00000010), ref: 006A71C8
CreateSolidBrush.GDI32(00000000), ref: 006A71CF
FrameRect.USER32(?,?,00000000), ref: 006A71DE
DeleteObject.GDI32(00000000), ref: 006A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 006A7230
FillRect.USER32(?,?,?), ref: 006A7262
GetWindowLongW.USER32(?,000000F0), ref: 006A7284

Part of subcall function 006A73E8: GetSysColor.USER32(00000012), ref: 006A7421
Part of subcall function 006A73E8: SetTextColor.GDI32(?,?), ref: 006A7425
Part of subcall function 006A73E8: GetSysColorBrush.USER32(0000000F), ref: 006A743B
Part of subcall function 006A73E8: GetSysColor.USER32(0000000F), ref: 006A7446
Part of subcall function 006A73E8: GetSysColor.USER32(00000011), ref: 006A7463
Part of subcall function 006A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006A7471
Part of subcall function 006A73E8: SelectObject.GDI32(?,00000000), ref: 006A7482
Part of subcall function 006A73E8: SetBkColor.GDI32(?,00000000), ref: 006A748B
Part of subcall function 006A73E8: SelectObject.GDI32(?,?), ref: 006A7498
Part of subcall function 006A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006A74B7
Part of subcall function 006A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006A74CE
Part of subcall function 006A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006A74DB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8d34c567adb900b77b81e59d11545310504800d79b432e23f92335ad21c747a1
Instruction ID: 4229244fb62fec2eea3e8c4b2e39f25016f4abfdac208b89ccbf7e8436a048f4
Opcode Fuzzy Hash: 8d34c567adb900b77b81e59d11545310504800d79b432e23f92335ad21c747a1
Instruction Fuzzy Hash: 92A19E72508301AFDB00AF64DC48A6BBBEAFB8A331F101A19F962961E1D771ED45CF51

Function 00628D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00628E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00666AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00666AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00666F43

Part of subcall function 00628F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00628BE8,?,00000000,?,?,?,?,00628BBA,00000000,?), ref: 00628FC5

SendMessageW.USER32(?,00001053), ref: 00666F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00666F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00666FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00666FB7

Strings

0, xrefs: 00666DCF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6bc5ec4be3e301e577e49456c0f81fae19526934ea01e0f5d9b87df38cc5d3ba
Instruction ID: abb5e199c45125bdc42367561e44690908b1459fa5f495b75103d8dfb83bf02a
Opcode Fuzzy Hash: 6bc5ec4be3e301e577e49456c0f81fae19526934ea01e0f5d9b87df38cc5d3ba
Instruction Fuzzy Hash: 9212AB30605651EFDB25DF24E884BAABBE7FB45310F144469F4898B262CB32EC52DF91

Function 00692711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0069273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0069286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00692900
GetClientRect.USER32(00000000,?), ref: 0069290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00692955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00692964
GetStockObject.GDI32(00000011), ref: 00692974
SelectObject.GDI32(00000000,00000000), ref: 00692978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00692988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00692991
DeleteDC.GDI32(00000000), ref: 0069299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00692A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00692A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00692A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00692A77
GetStockObject.GDI32(00000011), ref: 00692A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00692A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00692A97

Strings

static, xrefs: 0069294F, 00692A71
msctls_progress32, xrefs: 00692A13
DISPLAY, xrefs: 0069295A
AutoIt v3, xrefs: 006928F8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 452a59a09dcbe1f293e8c213ed68551425957ec17376e1ca11bac32d9b742f7d
Instruction ID: 2fa43dc781678de8d5aa04d54dfc57b8457a1c45456d63e9cf3b855156d60963
Opcode Fuzzy Hash: 452a59a09dcbe1f293e8c213ed68551425957ec17376e1ca11bac32d9b742f7d
Instruction Fuzzy Hash: 33B14C71A00215AFEB14DFA8CC85EAE7BBAEB09710F004159F915EB690D770ED40CBA4

Function 00684ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00684AED
GetDriveTypeW.KERNEL32(?,006ACB68,?,\\.\,006ACC08), ref: 00684BCA
SetErrorMode.KERNEL32(00000000,006ACB68,?,\\.\,006ACC08), ref: 00684D36

Strings

Virtual, xrefs: 00684CE5
ATA, xrefs: 00684C98
Removable, xrefs: 00684C10, 00684C15
\\.\, xrefs: 00684B3F
iSCSI, xrefs: 00684CC2
SSD, xrefs: 00684C4A
PhysicalDrive, xrefs: 00684B76
SCSI, xrefs: 00684C8A
Unknown, xrefs: 00684BED, 00684C83
SATA, xrefs: 00684CD0
FileBackedVirtual, xrefs: 00684CEC
Fibre, xrefs: 00684CAD
MMC, xrefs: 00684CDE
RAID, xrefs: 00684CBB
CDROM, xrefs: 00684BFB
USB, xrefs: 00684CB4
1394, xrefs: 00684C9F
RAMDisk, xrefs: 00684BF4
Network, xrefs: 00684C02
SAS, xrefs: 00684CC9
SSA, xrefs: 00684CA6
ATAPI, xrefs: 00684C91
Fixed, xrefs: 00684C09

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4a499ecdff5174d62927c23730f18f46fb98d557a17c01d599ca72a93fe4f422
Instruction ID: f5ea2d1c3d16ed7ece3adbfe651fcab000419f228e6b336d310809c1428aad2d
Opcode Fuzzy Hash: 4a499ecdff5174d62927c23730f18f46fb98d557a17c01d599ca72a93fe4f422
Instruction Fuzzy Hash: A761C530B061079BCB14FF24CA819ACB7B7AF44344B24861AF806AB391DFB1ED42DB55

Function 006A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006A7421
SetTextColor.GDI32(?,?), ref: 006A7425
GetSysColorBrush.USER32(0000000F), ref: 006A743B
GetSysColor.USER32(0000000F), ref: 006A7446
CreateSolidBrush.GDI32(?), ref: 006A744B
GetSysColor.USER32(00000011), ref: 006A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006A7471
SelectObject.GDI32(?,00000000), ref: 006A7482
SetBkColor.GDI32(?,00000000), ref: 006A748B
SelectObject.GDI32(?,?), ref: 006A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 006A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 006A7572
DrawFocusRect.USER32(?,?), ref: 006A757D
GetSysColor.USER32(00000011), ref: 006A758E
SetTextColor.GDI32(?,00000000), ref: 006A7596
DrawTextW.USER32(?,006A70F5,000000FF,?,00000000), ref: 006A75A8
SelectObject.GDI32(?,?), ref: 006A75BF
DeleteObject.GDI32(?), ref: 006A75CA
SelectObject.GDI32(?,?), ref: 006A75D0
DeleteObject.GDI32(?), ref: 006A75D5
SetTextColor.GDI32(?,?), ref: 006A75DB
SetBkColor.GDI32(?,?), ref: 006A75E5

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 394e6e84a540cde45e2b123a10bcd73d1078efdb90e4f6e6ae7a314f5c02ea64
Instruction ID: 8efcdc8480e6a6fbc2fceebc3c5539a332f6d127f1d151ea2484f7bbcde8f4ad
Opcode Fuzzy Hash: 394e6e84a540cde45e2b123a10bcd73d1078efdb90e4f6e6ae7a314f5c02ea64
Instruction Fuzzy Hash: E2615272D04218AFDF01AFA4DC49ADE7FBAEB0A320F115165F915A72A1D770AD40DF90

Function 006A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006A1128
GetDesktopWindow.USER32 ref: 006A113D
GetWindowRect.USER32(00000000), ref: 006A1144
GetWindowLongW.USER32(?,000000F0), ref: 006A1199
DestroyWindow.USER32(?), ref: 006A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 006A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006A1245
IsWindowVisible.USER32(00000000), ref: 006A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006A12D0
GetWindowRect.USER32(00000000,?), ref: 006A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 006A130E
GetMonitorInfoW.USER32(00000000,?), ref: 006A1328
CopyRect.USER32(?,?), ref: 006A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006A13AA

Strings

0, xrefs: 006A10D3
(, xrefs: 006A131B
tooltips_class32, xrefs: 006A11E6

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 76c11f6fc0f081eda7bbfb243892d8a408c209e38286ace3ef52671bfe1ed670
Instruction ID: 136cf3ed2a8d30e66ee8e26eb35a0d9b68a7414ec72c104838cc70946c95af7d
Opcode Fuzzy Hash: 76c11f6fc0f081eda7bbfb243892d8a408c209e38286ace3ef52671bfe1ed670
Instruction Fuzzy Hash: 22B17C71608341AFD744EF64C884BAABBE6EF86350F00891CF9999B261DB31EC45CF95

Function 006A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A02E5
_wcslen.LIBCMT ref: 006A031F
_wcslen.LIBCMT ref: 006A0389
_wcslen.LIBCMT ref: 006A03F1
_wcslen.LIBCMT ref: 006A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A0504

Part of subcall function 0062F9F2: _wcslen.LIBCMT ref: 0062F9FD

Part of subcall function 0067223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00672258
Part of subcall function 0067223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0067228A

Strings

SELECTINVERT, xrefs: 006A057E
ISSELECTED, xrefs: 006A04DD
DESELECT, xrefs: 006A059C
GETSELECTED, xrefs: 006A05E1
GETSELECTEDCOUNT, xrefs: 006A0470, 006A048B
GETTEXT, xrefs: 006A03EC, 006A0407
GETITEMCOUNT, xrefs: 006A0316, 006A0337
GETSUBITEMCOUNT, xrefs: 006A0384, 006A039F
SELECTALL, xrefs: 006A0515
SELECT, xrefs: 006A0548
VIEWCHANGE, xrefs: 006A0675
FINDITEM, xrefs: 006A0627
SELECTCLEAR, xrefs: 006A052D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 9ca1a98a8e20637e44e7411a208e68b5e2a9d43fa2a38d58206bd6a504b9da14
Instruction ID: d9ce22dd77975f025ed30f9c5c92abdb207424073ba5dc9f3d7a5386cb2df738
Opcode Fuzzy Hash: 9ca1a98a8e20637e44e7411a208e68b5e2a9d43fa2a38d58206bd6a504b9da14
Instruction Fuzzy Hash: 93E1AF316082018FDB54EF24C55096AB7E7BF8A314F54496DF8969B3A1DB30ED86CF82

Function 00628891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00628968
GetSystemMetrics.USER32(00000007), ref: 00628970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0062899B
GetSystemMetrics.USER32(00000008), ref: 006289A3
GetSystemMetrics.USER32(00000004), ref: 006289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00628A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00628A3C
GetClientRect.USER32(00000000,000000FF), ref: 00628A5A
GetStockObject.GDI32(00000011), ref: 00628A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00628A81

Part of subcall function 0062912D: GetCursorPos.USER32(?), ref: 00629141
Part of subcall function 0062912D: ScreenToClient.USER32(00000000,?), ref: 0062915E
Part of subcall function 0062912D: GetAsyncKeyState.USER32(00000001), ref: 00629183
Part of subcall function 0062912D: GetAsyncKeyState.USER32(00000002), ref: 0062919D

SetTimer.USER32(00000000,00000000,00000028,006290FC), ref: 00628AA8

Strings

AutoIt v3 GUI, xrefs: 00628A20

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8eb3fc5cac20a25848dcbeeaf046347d9733868e23341246cadfecad805ddde8
Instruction ID: 57aea83052a1dd8621279698be51ccedcb25291a4ef59d377a43f1b6da27cf5d
Opcode Fuzzy Hash: 8eb3fc5cac20a25848dcbeeaf046347d9733868e23341246cadfecad805ddde8
Instruction Fuzzy Hash: FEB18B31A002199FDB14DFA8ED85BEE7BB6FB49314F104229FA15AB290DB34E841CF51

Function 00670D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00671114
Part of subcall function 006710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671120
Part of subcall function 006710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 0067112F
Part of subcall function 006710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671136
Part of subcall function 006710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00670DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00670E29
GetLengthSid.ADVAPI32(?), ref: 00670E40
GetAce.ADVAPI32(?,00000000,?), ref: 00670E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00670E96
GetLengthSid.ADVAPI32(?), ref: 00670EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00670EB5
HeapAlloc.KERNEL32(00000000), ref: 00670EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00670EDD
CopySid.ADVAPI32(00000000), ref: 00670EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00670F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00670F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00670F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670F6E
HeapFree.KERNEL32(00000000), ref: 00670F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670F7E
HeapFree.KERNEL32(00000000), ref: 00670F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00670F8E
HeapFree.KERNEL32(00000000), ref: 00670F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00670FA1
HeapFree.KERNEL32(00000000), ref: 00670FA8

Part of subcall function 00671193: GetProcessHeap.KERNEL32(00000008,00670BB1,?,00000000,?,00670BB1,?), ref: 006711A1
Part of subcall function 00671193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00670BB1,?), ref: 006711A8
Part of subcall function 00671193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00670BB1,?), ref: 006711B7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 12d93cca328692f0331035477ab27b84ea95cfbf8ec44aa979c85d3827c0c5f9
Instruction ID: 26c522652f9134f9aa0226861d4a2a6f9f7d91eca0570448ce792488f5473cdb
Opcode Fuzzy Hash: 12d93cca328692f0331035477ab27b84ea95cfbf8ec44aa979c85d3827c0c5f9
Instruction Fuzzy Hash: 11714C7290020AEBEB20DFA4DC44BEEBBBABF05310F148115F919A6291D775A945CF70

Function 0069C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,006ACC08,00000000,?,00000000,?,?), ref: 0069C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0069C5A4
_wcslen.LIBCMT ref: 0069C5F4
_wcslen.LIBCMT ref: 0069C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0069C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0069C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0069C84D
RegCloseKey.ADVAPI32(?), ref: 0069C881
RegCloseKey.ADVAPI32(00000000), ref: 0069C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0069C960

Strings

REG_QWORD, xrefs: 0069C8C3
REG_MULTI_SZ, xrefs: 0069C6F5
REG_EXPAND_SZ, xrefs: 0069C5CD
REG_DWORD, xrefs: 0069C804
REG_SZ, xrefs: 0069C644
REG_BINARY, xrefs: 0069C913

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2d16e2d76cb559cedfed73cc44c767dfaf86a02df363c9a4abc69c66980fa3ea
Instruction ID: 4c16f8aaa3c35b881676eaee03c589c995804bfda03a148a112389c8de255284
Opcode Fuzzy Hash: 2d16e2d76cb559cedfed73cc44c767dfaf86a02df363c9a4abc69c66980fa3ea
Instruction Fuzzy Hash: 9D127B356042019FCB54DF14C891A6AB7F6EF88724F09885CF84A9B7A2DB31FD41CB85

Function 006A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A09C6
_wcslen.LIBCMT ref: 006A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A0A54
_wcslen.LIBCMT ref: 006A0A8A
_wcslen.LIBCMT ref: 006A0B06
_wcslen.LIBCMT ref: 006A0B81

Part of subcall function 0062F9F2: _wcslen.LIBCMT ref: 0062F9FD

Part of subcall function 00672BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00672BFA

Strings

EXPAND, xrefs: 006A0BF8
SELECT, xrefs: 006A0D11
GETSELECTED, xrefs: 006A0C4E
EXISTS, xrefs: 006A0B7C, 006A0B97
GETTEXT, xrefs: 006A0C97
ISCHECKED, xrefs: 006A0CE1
COLLAPSE, xrefs: 006A0B01, 006A0B1C
GETITEMCOUNT, xrefs: 006A0C1E
CHECK, xrefs: 006A0A85, 006A0AA0
GETTOTALCOUNT, xrefs: 006A09F2, 006A0A17
UNCHECK, xrefs: 006A0D3E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 750afcc377ebb5a593e822b3277fb6ee494dc8827b1a28a477efb513d76c6f40
Instruction ID: 6be58c4bb11c3e34ccb9e1e0fa7f822fc92e0170a86d4791e1c3dfdf54ae30e8
Opcode Fuzzy Hash: 750afcc377ebb5a593e822b3277fb6ee494dc8827b1a28a477efb513d76c6f40
Instruction Fuzzy Hash: E3E19B316083018FC754EF24C45096AB7E3BF9A314B14895DF89A9B3A2DB31ED86CF91

Function 0069C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069B6AE,?,?), ref: 0069C9B5
_wcslen.LIBCMT ref: 0069C9F1
_wcslen.LIBCMT ref: 0069CA68
_wcslen.LIBCMT ref: 0069CA9E
_wcslen.LIBCMT ref: 0069CAF9
_wcslen.LIBCMT ref: 0069CB2F
_wcslen.LIBCMT ref: 0069CB7F

Strings

HKEY_USERS, xrefs: 0069CBDF
HKCC, xrefs: 0069CBAC
HKU, xrefs: 0069CBF0
HKEY_CURRENT_USER, xrefs: 0069CBBD
HKCU, xrefs: 0069CBCE
HKEY_LOCAL_MACHINE, xrefs: 0069CA62, 0069CA67
HKLM, xrefs: 0069CA98, 0069CA9D
HKEY_CURRENT_CONFIG, xrefs: 0069CB79, 0069CB7E
HKCR, xrefs: 0069CB29, 0069CB2E
HKEY_CLASSES_ROOT, xrefs: 0069CAF3, 0069CAF8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: da35ab0386b6912005a993016f40cf52a3740817db1eef70b275d992edb481be
Instruction ID: ffec679eba5cf49a3dfde7d16e45558e0b48489d7bb8c9dd9857f46c40ae6c74
Opcode Fuzzy Hash: da35ab0386b6912005a993016f40cf52a3740817db1eef70b275d992edb481be
Instruction Fuzzy Hash: 5171F332A0016A8BCF20DE7CC9515FE379BAB61774B250529FC569B784EA31DD8183A4

Function 006A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A835A
_wcslen.LIBCMT ref: 006A836E
_wcslen.LIBCMT ref: 006A8391
_wcslen.LIBCMT ref: 006A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006A5BF2), ref: 006A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006A8501
FreeLibrary.KERNEL32(?), ref: 006A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006A851D
DestroyIcon.USER32(?,?,?,?,?,006A5BF2), ref: 006A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006A8555

Strings

.dll, xrefs: 006A83AB
.icl, xrefs: 006A8368
.exe, xrefs: 006A8388

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9ff39698b26749f6386ed285ba19d0578ee29bcb15e9795793f04ba4adf6783d
Instruction ID: 02115f053249a2c4eddf6a6351f2d76f18cf33b99b1490e90908f84bd799b617
Opcode Fuzzy Hash: 9ff39698b26749f6386ed285ba19d0578ee29bcb15e9795793f04ba4adf6783d
Instruction Fuzzy Hash: 3561AC71900215BEEB14AF64CC45BFE77AAEB09B21F104609F815D61D1EF74AE90CBA0

Function 00617778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00617873, 006178C5
#comments-start, xrefs: 0061785F, 006178B1
#ce, xrefs: 006178ED
Cannot parse #include, xrefs: 00655279
Bad directive syntax error, xrefs: 0065519A
", xrefs: 00655153
#include, xrefs: 00617847
Unterminated group of comments, xrefs: 0065528C
#notrayicon, xrefs: 006177E7
#include-once, xrefs: 0061782F
', xrefs: 00655169
#OnAutoItStartRegister, xrefs: 00617817
#requireadmin, xrefs: 006177FF
#pragma compile, xrefs: 006177D3
#comments-end, xrefs: 006178D9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 63b65f3196a41925def20310467a0812371a87a9f310457cdc6ce10a71f67065
Instruction ID: 95f2f26298c37b322f4fc82cad06c3be18939c2b5c6b1f0c3802aa7e79fad163
Opcode Fuzzy Hash: 63b65f3196a41925def20310467a0812371a87a9f310457cdc6ce10a71f67065
Instruction Fuzzy Hash: 6E81D671604605BBDB61AF60DC56FEE37B7AF15300F084028F905AB292EB70D985CBE5

Function 00683E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00683EF8
_wcslen.LIBCMT ref: 00683F03
_wcslen.LIBCMT ref: 00683F5A
_wcslen.LIBCMT ref: 00683F98
GetDriveTypeW.KERNEL32(?), ref: 00683FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00684059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00684087

Strings

wait, xrefs: 00684044
open, xrefs: 00683F54, 00683F59
closed, xrefs: 00683F08, 00683F2D, 00683F46, 00683F7E, 00683F97
set cd door , xrefs: 00684028
open , xrefs: 00683FE5
close cd wait, xrefs: 00684072
type cdaudio alias cd wait, xrefs: 00684001
close, xrefs: 00683EFE, 00683F18

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: fc2dd52e5eb9fb4683d7ac13e80fd0eb0a7d6dc44323c9bfd294a3fa4c3b0582
Instruction ID: 0a832cca5190e910e7d5d7ac031d64bc86b46378204f6ecb8e68ff9d32383d47
Opcode Fuzzy Hash: fc2dd52e5eb9fb4683d7ac13e80fd0eb0a7d6dc44323c9bfd294a3fa4c3b0582
Instruction Fuzzy Hash: 9C71E371A042129FC350EF24C8809ABB7F6EF94764F044A2DF99697351EB31ED46CB91

Function 00675A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00675A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00675A40
SetWindowTextW.USER32(?,?), ref: 00675A57
GetDlgItem.USER32(?,000003EA), ref: 00675A6C
SetWindowTextW.USER32(00000000,?), ref: 00675A72
GetDlgItem.USER32(?,000003E9), ref: 00675A82
SetWindowTextW.USER32(00000000,?), ref: 00675A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00675AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00675AC3
GetWindowRect.USER32(?,?), ref: 00675ACC
_wcslen.LIBCMT ref: 00675B33
SetWindowTextW.USER32(?,?), ref: 00675B6F
GetDesktopWindow.USER32 ref: 00675B75
GetWindowRect.USER32(00000000), ref: 00675B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00675BD3
GetClientRect.USER32(?,?), ref: 00675BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00675C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00675C2F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 96e6311e044448418b581fb32562ad6b5079db9fe58a6f5ad37ae50905a19683
Instruction ID: 7b8e35b4867dc98313ccca05d2e7687a2c5ed5e3e385da3c617e893d45ba1115
Opcode Fuzzy Hash: 96e6311e044448418b581fb32562ad6b5079db9fe58a6f5ad37ae50905a19683
Instruction Fuzzy Hash: 3E716E31900B059FDB20DFA8CE95AAEBBF6FF48714F104958E147A26A0D7B5E944CF50

Function 0068FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0068FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0068FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0068FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0068FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0068FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0068FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0068FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0068FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0068FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0068FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0068FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0068FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0068FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0068FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0068FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0068FECC
GetCursorInfo.USER32(?), ref: 0068FEDC
GetLastError.KERNEL32 ref: 0068FF1E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8b1b57bd3fee4355966234c5fc9ad2e07e79e25ea9645ba3abc4243f719c68b8
Instruction ID: 353f51a424ca06fec3bddeb890690542514853e2a8071e7cf9d74b97d2c1d033
Opcode Fuzzy Hash: 8b1b57bd3fee4355966234c5fc9ad2e07e79e25ea9645ba3abc4243f719c68b8
Instruction Fuzzy Hash: 274151B0D443196ADB109FBA8C8985EBFE9FF04364B54462AF119E7281DB78E9018F91

Function 006730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0067318D
_wcslen.LIBCMT ref: 006731F8

Strings

[m, xrefs: 0067339A
CLASSNN, xrefs: 006731F3, 00673204
CLASS, xrefs: 00673188, 006731A5
TEXT, xrefs: 0067347C
NAME, xrefs: 00673335, 00673346
INSTANCE, xrefs: 00673453
REGEXPCLASS, xrefs: 00673255, 00673266

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[m
API String ID: 176396367-3544009371
Opcode ID: a46d2b560c5acdf9b457d8861897beffa61762c7ebd6555aa4270843bd25abcb
Instruction ID: e9a3bb43e9666f560c71f69f69e7f920126adb5f959748db0329fc7508798522
Opcode Fuzzy Hash: a46d2b560c5acdf9b457d8861897beffa61762c7ebd6555aa4270843bd25abcb
Instruction Fuzzy Hash: 7AE1C532A00536ABCB589F74C4516EDBBB7BF54710F54C22AE45AA7340DB30AF85ABD0

Function 006300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006300C6

Part of subcall function 006300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(006E070C,00000FA0,24A7096E,?,?,?,?,006523B3,000000FF), ref: 0063011C
Part of subcall function 006300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006523B3,000000FF), ref: 00630127
Part of subcall function 006300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006523B3,000000FF), ref: 00630138
Part of subcall function 006300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0063014E
Part of subcall function 006300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0063015C
Part of subcall function 006300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0063016A
Part of subcall function 006300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00630195
Part of subcall function 006300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006301A0

___scrt_fastfail.LIBCMT ref: 006300E7

Part of subcall function 006300A3: __onexit.LIBCMT ref: 006300A9

Strings

InitializeConditionVariable, xrefs: 00630148
SleepConditionVariableCS, xrefs: 00630154
kernel32.dll, xrefs: 00630133
WakeAllConditionVariable, xrefs: 00630162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00630122

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 279e4cebb96e8c17ad563891acc47ef5bb2fdad14e0ba664c34433b473d651e2
Instruction ID: 990bc6c9eebd18d2a851a78a8a3bbc27d13ac5cf9b339c1d43c03881564eaf68
Opcode Fuzzy Hash: 279e4cebb96e8c17ad563891acc47ef5bb2fdad14e0ba664c34433b473d651e2
Instruction Fuzzy Hash: 7E212632A447106BFB217BE4AC55B6A73A7EF46B61F110139F801A7391DFB0AC088ED4

Function 006844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,006ACC08), ref: 00684527
_wcslen.LIBCMT ref: 0068453B
_wcslen.LIBCMT ref: 00684599
_wcslen.LIBCMT ref: 006845F4
_wcslen.LIBCMT ref: 0068463F
_wcslen.LIBCMT ref: 006846A7

Part of subcall function 0062F9F2: _wcslen.LIBCMT ref: 0062F9FD

GetDriveTypeW.KERNEL32(?,006D6BF0,00000061), ref: 00684743

Strings

ramdisk, xrefs: 006846F1
all, xrefs: 00684531, 00684536
cdrom, xrefs: 0068458F, 00684594
network, xrefs: 0068469D, 006846A2
unknown, xrefs: 00684708
fixed, xrefs: 00684635, 0068463A
removable, xrefs: 006845EA, 006845EF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e6dace132b67664a09a7e65de65b852d0ae7305735ba72a8278a6cd6197f8fcf
Instruction ID: d944a0b22282db85b704976d683ceaed510678041f21205be3bcbb2a8530bb52
Opcode Fuzzy Hash: e6dace132b67664a09a7e65de65b852d0ae7305735ba72a8278a6cd6197f8fcf
Instruction Fuzzy Hash: 00B1D6715083029FC710EF28C890AAEB7E7AF95764F544A1DF496C7391EB30D985CB92

Function 006A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

DragQueryPoint.SHELL32(?,?), ref: 006A9147

Part of subcall function 006A7674: ClientToScreen.USER32(?,?), ref: 006A769A
Part of subcall function 006A7674: GetWindowRect.USER32(?,?), ref: 006A7710
Part of subcall function 006A7674: PtInRect.USER32(?,?,006A8B89), ref: 006A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 006A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 006A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 006A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 006A9277
DragFinish.SHELL32(?), ref: 006A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006A9371

Strings

@GUI_DROPID, xrefs: 006A929E
@GUI_DRAGFILE, xrefs: 006A9320
@GUI_DRAGID, xrefs: 006A92E9
p#n, xrefs: 006A92BB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#n
API String ID: 221274066-3661848578
Opcode ID: 23b530ea6fe6edeb98e6ab0519caf9eeacd8ebe082d0fea3f2fbfc75e121a507
Instruction ID: ec787cea3da4e88f6666b704e906b2eefa6a3220477b0caf9b94a18439e1cd25
Opcode Fuzzy Hash: 23b530ea6fe6edeb98e6ab0519caf9eeacd8ebe082d0fea3f2fbfc75e121a507
Instruction Fuzzy Hash: 16617D71108301AFC701EF54DC85DAFBBEAEF8A350F10091EF591961A1DB30AA49CFA6

Function 00693FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006ACC08), ref: 006940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,006ACC08), ref: 006940F2
FreeLibrary.KERNEL32(00000000,?,006ACC08), ref: 0069413E
StringFromGUID2.OLE32(?,?,00000028,?,006ACC08), ref: 006941A8
SysFreeString.OLEAUT32(00000009), ref: 00694262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006942C8
SysFreeString.OLEAUT32(?), ref: 006942F2

Strings

kernel32.dll, xrefs: 006940B6
GetModuleHandleExW, xrefs: 006940C7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 69dd04cd6a1d5665d7ccd95875751c45660b98d240dfd324c8b97f53761c8c7b
Instruction ID: 4d500739ac72c060721d92c2ed48b4fa33564e7c97cfa07a85f46ad5be6599c1
Opcode Fuzzy Hash: 69dd04cd6a1d5665d7ccd95875751c45660b98d240dfd324c8b97f53761c8c7b
Instruction Fuzzy Hash: 13124A75A00105EFDF14DF94C884EAEBBBAFF49714F248098E9059B651DB31EE46CBA0

Function 0061326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(006E1990), ref: 00652F8D
GetMenuItemCount.USER32(006E1990), ref: 0065303D
GetCursorPos.USER32(?), ref: 00653081
SetForegroundWindow.USER32(00000000), ref: 0065308A
TrackPopupMenuEx.USER32(006E1990,00000000,?,00000000,00000000,00000000), ref: 0065309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006530A9

Strings

0, xrefs: 0061327D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c11c0a02fd0ace3001b96445794ff4920f707da2159e6a53ccca4237258795ee
Instruction ID: 1cdd7d61a101efa6821e95a435a00138fcce19fab63d82a553fd217be888148a
Opcode Fuzzy Hash: c11c0a02fd0ace3001b96445794ff4920f707da2159e6a53ccca4237258795ee
Instruction Fuzzy Hash: 97712770640216BEEB219F24DC59FEABF66FF02364F244206F9156A3E0C7B1AD54DB90

Function 006A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 006A6DEB

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A6E94
DestroyWindow.USER32(?), ref: 006A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00610000,00000000), ref: 006A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A6EFD
GetDesktopWindow.USER32 ref: 006A6F16
GetWindowRect.USER32(00000000), ref: 006A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006A6F4D

Part of subcall function 00629944: GetWindowLongW.USER32(?,000000EB), ref: 00629952

Strings

tooltips_class32, xrefs: 006A6E58, 006A6EDD
0, xrefs: 006A6D98

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a3484563e88a15e582fc58a6f18feffa94dbfd3ad53a52ed87a8174b47e412b8
Instruction ID: 853a2990ea013a6c90a6c89344869423f6e8b010f9b2e4c8859f58ff823c6d32
Opcode Fuzzy Hash: a3484563e88a15e582fc58a6f18feffa94dbfd3ad53a52ed87a8174b47e412b8
Instruction Fuzzy Hash: 69716874144344AFDB21EF18D844AAABBEAFB8A314F08541DF9998B2A1D770AD06DF11

Function 0068C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0068C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0068C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0068C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0068C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0068C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0068C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0068C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0068C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0068C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0068C5F0
InternetCloseHandle.WININET(00000000), ref: 0068C5FB

Strings

, xrefs: 0068C575

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 8ed043a46250502e8d669670721bb0dcfcbc88ed8219ddeb7a9be46cb56f2c42
Instruction ID: 785a5f0a097c6a2404e1c842b5e14e2e73bce885892bb307069e4563e8951bd8
Opcode Fuzzy Hash: 8ed043a46250502e8d669670721bb0dcfcbc88ed8219ddeb7a9be46cb56f2c42
Instruction Fuzzy Hash: 77516DB1500204BFDB21AF64C948AAB7BFEFF09764F004519F94596210DB34EA549F71

Function 006A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 006A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85BA
GlobalLock.KERNEL32(00000000), ref: 006A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85D7
GlobalUnlock.KERNEL32(00000000), ref: 006A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,006AFC38,?), ref: 006A8611
GlobalFree.KERNEL32(00000000), ref: 006A8621
GetObjectW.GDI32(?,00000018,?), ref: 006A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 006A8671
DeleteObject.GDI32(?), ref: 006A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006A86AF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86b1971fe783b8cf429b11786301d0423248a847142fa5d3e897fa9b3d59e1fe
Instruction ID: dad2b1f22783a4162815a1038dbfbe66358e677d6ba05d7a3f5cd5bbba38acc4
Opcode Fuzzy Hash: 86b1971fe783b8cf429b11786301d0423248a847142fa5d3e897fa9b3d59e1fe
Instruction Fuzzy Hash: DF41FA75600204AFDB11AFA5DC48EAA7BBAEF8A721F145058F905E7260DB30AE01CF60

Function 006814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00681502
VariantCopy.OLEAUT32(?,?), ref: 0068150B
VariantClear.OLEAUT32(?), ref: 00681517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00681657
VariantInit.OLEAUT32(?), ref: 00681708
SysFreeString.OLEAUT32(?), ref: 0068178C
VariantClear.OLEAUT32(?), ref: 006817D8
VariantClear.OLEAUT32(?), ref: 006817E7
VariantInit.OLEAUT32(00000000), ref: 00681823

Strings

Default, xrefs: 006816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00681625

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5b4992e20cae3b879e8189e8f674197325c12b64b9281d936599b57d0f16ccc6
Instruction ID: 936ebc2b1e76974778907a59adeb7c08ea82a58975583b02b92105d02f4289cc
Opcode Fuzzy Hash: 5b4992e20cae3b879e8189e8f674197325c12b64b9281d936599b57d0f16ccc6
Instruction Fuzzy Hash: 95D1E2B1A00515DBDB00BF65E484BB9B7BBBF46700F14865AE446AF280DB30ED43DB62

Function 0069B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 0069C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069B6AE,?,?), ref: 0069C9B5
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069C9F1
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA68
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0069B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0069B80A
RegCloseKey.ADVAPI32(?), ref: 0069B87E
RegCloseKey.ADVAPI32(?), ref: 0069B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0069B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0069B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0069B922
FreeLibrary.KERNEL32(00000000), ref: 0069B983
RegCloseKey.ADVAPI32(00000000), ref: 0069B994

Strings

RegDeleteKeyExW, xrefs: 0069B8FE
advapi32.dll, xrefs: 0069B8ED

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c49f9a361eecbf2cb43c8af79491ee2e898e3c8dc7c8728c03407cfb8f55c1e9
Instruction ID: d9988bff04b9af0456902a6850b2ddc159c7f1e1693226a6bfafce59095c83a1
Opcode Fuzzy Hash: c49f9a361eecbf2cb43c8af79491ee2e898e3c8dc7c8728c03407cfb8f55c1e9
Instruction Fuzzy Hash: 03C19F30204201AFDB10DF14D594F6ABBEABF85318F18955CF55A8B7A2CB71EC86CB91

Function 0069255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006925E8
CreateCompatibleDC.GDI32(?), ref: 006925F4
SelectObject.GDI32(00000000,?), ref: 00692601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0069266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006926D0
SelectObject.GDI32(?,?), ref: 006926D8
DeleteObject.GDI32(?), ref: 006926E1
DeleteDC.GDI32(?), ref: 006926E8
ReleaseDC.USER32(00000000,?), ref: 006926F3

Strings

(, xrefs: 0069268D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6b5946bed8a1064c798aabc6be0af8c74a2bd25a9a333aad9ee8a7adeb429427
Instruction ID: b9ea17b9fa14f6b266da30ed3e215a921966f0befc750d38e96ce53d6e11ae9c
Opcode Fuzzy Hash: 6b5946bed8a1064c798aabc6be0af8c74a2bd25a9a333aad9ee8a7adeb429427
Instruction Fuzzy Hash: FE61F2B5E00219EFCF04DFA4D884AAEBBFAFF48310F208529E955A7250D771A941CF94

Function 0064DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0064DAA1

Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D659
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D66B
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D67D
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D68F
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6A1
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6B3
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6C5
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6D7
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6E9
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D6FB
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D70D
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D71F
Part of subcall function 0064D63C: _free.LIBCMT ref: 0064D731

_free.LIBCMT ref: 0064DA96

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

_free.LIBCMT ref: 0064DAB8
_free.LIBCMT ref: 0064DACD
_free.LIBCMT ref: 0064DAD8
_free.LIBCMT ref: 0064DAFA
_free.LIBCMT ref: 0064DB0D
_free.LIBCMT ref: 0064DB1B
_free.LIBCMT ref: 0064DB26
_free.LIBCMT ref: 0064DB5E
_free.LIBCMT ref: 0064DB65
_free.LIBCMT ref: 0064DB82
_free.LIBCMT ref: 0064DB9A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5a29d8a0308631fc491dccb9af1145eeef5dcfd15353451895acd88d2934fc4f
Instruction ID: ea4e64a22ad206d94347238be4a15058eadf856d2f54c2937ae9642015048c8f
Opcode Fuzzy Hash: 5a29d8a0308631fc491dccb9af1145eeef5dcfd15353451895acd88d2934fc4f
Instruction Fuzzy Hash: 39313B71A047069FEB62AA3AE845B9A77EBFF00710F65441EF449D7291DF31AC80C724

Function 0067365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0067369C
_wcslen.LIBCMT ref: 006736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00673797
GetClassNameW.USER32(?,?,00000400), ref: 0067380C
GetDlgCtrlID.USER32(?), ref: 0067385D
GetWindowRect.USER32(?,?), ref: 00673882
GetParent.USER32(?), ref: 006738A0
ScreenToClient.USER32(00000000), ref: 006738A7
GetClassNameW.USER32(?,?,00000100), ref: 00673921
GetWindowTextW.USER32(?,?,00000400), ref: 0067395D

Strings

%s%u, xrefs: 00673734

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c8f399308553092f89b768e0c1dfa4b52dde5309db87df7f7d32443d4cc01ca2
Instruction ID: ae012bfbdc1d6be056961e8dce0bde6750734932b77de0727d0efc1c0020f9dd
Opcode Fuzzy Hash: c8f399308553092f89b768e0c1dfa4b52dde5309db87df7f7d32443d4cc01ca2
Instruction Fuzzy Hash: EF91C471204616AFD718DF24C885FEAF7AAFF44350F108619FA9DC2290EB30EA45DB91

Function 00674954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00674994
GetWindowTextW.USER32(?,?,00000400), ref: 006749DA
_wcslen.LIBCMT ref: 006749EB
CharUpperBuffW.USER32(?,00000000), ref: 006749F7
_wcsstr.LIBVCRUNTIME ref: 00674A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00674A64
GetWindowTextW.USER32(?,?,00000400), ref: 00674A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00674AE6
GetClassNameW.USER32(?,?,00000400), ref: 00674B20
GetWindowRect.USER32(?,?), ref: 00674B8B

Strings

ThumbnailClass, xrefs: 00674A6F, 00674AF1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9a5c8ff07be4a62aaced60bceb50252afd27435ff880a9979e3e3b1fe84fad0c
Instruction ID: 52d8d83b4ac1e8c68f7243ef353eb82986b44e3a260087fe10022f14a1e06e53
Opcode Fuzzy Hash: 9a5c8ff07be4a62aaced60bceb50252afd27435ff880a9979e3e3b1fe84fad0c
Instruction Fuzzy Hash: 0191BE710042059FDB05DF14C989FAAB7EAFF84714F04846AFD8A9A296DF30ED45CBA1

Function 006A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006A8D5A
GetFocus.USER32 ref: 006A8D6A
GetDlgCtrlID.USER32(00000000), ref: 006A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 006A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006A8ECF
GetMenuItemCount.USER32(?), ref: 006A8EEC
GetMenuItemID.USER32(?,00000000), ref: 006A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006A8FA1

Strings

0, xrefs: 006A8E9F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2c854a1f9646a4099cc7956a38d7603ad83ad24bdef4c2425545ed053576aaca
Instruction ID: 87b0202d116aa8b55946553fe9cd1279278db8935005022de608ea9717764031
Opcode Fuzzy Hash: 2c854a1f9646a4099cc7956a38d7603ad83ad24bdef4c2425545ed053576aaca
Instruction Fuzzy Hash: BA817C715043029FDB10EF24D884AABBBEBBB8A354F14095DF98597291DB70ED01CFA1

Function 0067BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(006E1990,000000FF,00000000,00000030), ref: 0067BFAC
SetMenuItemInfoW.USER32(006E1990,00000004,00000000,00000030), ref: 0067BFE1
Sleep.KERNEL32(000001F4), ref: 0067BFF3
GetMenuItemCount.USER32(?), ref: 0067C039
GetMenuItemID.USER32(?,00000000), ref: 0067C056
GetMenuItemID.USER32(?,-00000001), ref: 0067C082
GetMenuItemID.USER32(?,?), ref: 0067C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0067C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0067C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0067C145

Strings

0, xrefs: 0067BF3D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d5f44f56f5ed86d6621b75c6fee90ab389b418958a27e68ea89c70927018a561
Instruction ID: e2a1db03832fba7ada9134f88fea0e79cff9eaa44e3a74e928baa98f95e6c3dd
Opcode Fuzzy Hash: d5f44f56f5ed86d6621b75c6fee90ab389b418958a27e68ea89c70927018a561
Instruction Fuzzy Hash: B261A4B0900249AFDF11DF64DC88AEE7BBAEB06364F408159F809A7291D735AD55CBA0

Function 0067DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0067DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0067DC46
_wcslen.LIBCMT ref: 0067DC50
_wcsstr.LIBVCRUNTIME ref: 0067DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0067DCBC

Strings

DefaultLangCodepage, xrefs: 0067DD1F
\VarFileInfo\Translation, xrefs: 0067DCB4
%u.%u.%u.%u, xrefs: 0067DD9A
04090000, xrefs: 0067DCF2
StringFileInfo\, xrefs: 0067DC8F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3737d56a57cf028d81ebe34525646796c4dd927dbc06b4d5d478fa8c0fb508cd
Instruction ID: b6f6c772e4615066c3bd58ce49e29d04c8e18b0b09e80f97579d4f2319f2d99a
Opcode Fuzzy Hash: 3737d56a57cf028d81ebe34525646796c4dd927dbc06b4d5d478fa8c0fb508cd
Instruction Fuzzy Hash: 0C4115329406107ADB55A774DC43EFF77BEDF42720F11446EF904A6182EB71AA019BB8

Function 0069CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0069CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0069CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0069CD48

Part of subcall function 0069CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0069CCAA
Part of subcall function 0069CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0069CCBD
Part of subcall function 0069CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0069CCCF
Part of subcall function 0069CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0069CD05
Part of subcall function 0069CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0069CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0069CCF3

Strings

RegDeleteKeyExW, xrefs: 0069CCC9
advapi32.dll, xrefs: 0069CCB8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 5a2a2e33e914c0a3c79a560539756fd6ff2af2e938b3d0074c2ada21aa244977
Instruction ID: 7c688927ba2d34e76213ac62c9d9b1d8cb4668f5c6b95ddf9d014f4530c52905
Opcode Fuzzy Hash: 5a2a2e33e914c0a3c79a560539756fd6ff2af2e938b3d0074c2ada21aa244977
Instruction Fuzzy Hash: F9316071A01129BBDB209B54DC88EFFBB7EEF46764F000165E905E3240D6349E49DAB0

Function 00683D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00683D40
_wcslen.LIBCMT ref: 00683D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00683D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00683DBE
RemoveDirectoryW.KERNEL32(?), ref: 00683DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00683E55
CloseHandle.KERNEL32(00000000), ref: 00683E60
CloseHandle.KERNEL32(00000000), ref: 00683E6B

Strings

\??\%s, xrefs: 00683D5B
\, xrefs: 00683D77
:, xrefs: 00683D82

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 62a94429837634edd9fd022a53c8307667825584967f47a5460e604cec2a2d73
Instruction ID: 223daa6c79a39f6fe55796960159de83a1b952e59932f73fb1fd9ad47f009118
Opcode Fuzzy Hash: 62a94429837634edd9fd022a53c8307667825584967f47a5460e604cec2a2d73
Instruction Fuzzy Hash: 31318371900119ABDB21AFA0DC49FEB37BEEF89B10F1041B5F605D6260EB7497458F64

Function 0067E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0067E6B4

Part of subcall function 0062E551: timeGetTime.WINMM(?,?,0067E6D4), ref: 0062E555

Sleep.KERNEL32(0000000A), ref: 0067E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0067E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0067E727
SetActiveWindow.USER32 ref: 0067E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0067E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0067E773
Sleep.KERNEL32(000000FA), ref: 0067E77E
IsWindow.USER32 ref: 0067E78A
EndDialog.USER32(00000000), ref: 0067E79B

Strings

BUTTON, xrefs: 0067E719

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 82ce9bc12610257a2aa997559891ec7cd892b7dd96374ab68fe292db08933527
Instruction ID: a8f8ee96be817b0c9836f341ae22fbb19558258d5f53db9531d532f3fe6baac3
Opcode Fuzzy Hash: 82ce9bc12610257a2aa997559891ec7cd892b7dd96374ab68fe292db08933527
Instruction Fuzzy Hash: ED218170240345AFEF00AF24ECD9A253B6FF75A359B10B465F509862A1DBB2BC48DE24

Function 0067E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0067EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0067EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0067EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0067EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0067EAA7

Strings

play PlayMe wait, xrefs: 0067EA91
open , xrefs: 0067EA0C
play PlayMe, xrefs: 0067EAA2
alias PlayMe, xrefs: 0067EA36
status PlayMe mode, xrefs: 0067EA58
close PlayMe, xrefs: 0067EA6E, 0067EA9B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d8e7887d6da053cfb125ed19d99598e1eee90d49f143a735942f832201fe3e82
Instruction ID: 3682dad385be9cb0bdd2c7167745f347171a6edb00d571a0eb3835dd20ced52a
Opcode Fuzzy Hash: d8e7887d6da053cfb125ed19d99598e1eee90d49f143a735942f832201fe3e82
Instruction Fuzzy Hash: DF11C631A9026A79D720A7A1DC5ADFF6B7EEBD5B00F04442AF811A61D0EEB01D45C5B0

Function 00675CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00675CE2
GetWindowRect.USER32(00000000,?), ref: 00675CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00675D59
GetDlgItem.USER32(?,00000002), ref: 00675D69
GetWindowRect.USER32(00000000,?), ref: 00675D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00675DCF
GetDlgItem.USER32(?,000003E9), ref: 00675DDD
GetWindowRect.USER32(00000000,?), ref: 00675DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00675E31
GetDlgItem.USER32(?,000003EA), ref: 00675E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00675E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00675E67

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: acec66f5a7cd548930cd88f1a407453a50ef34f282fe94a83fe0b9c957d524c6
Instruction ID: 8d7f50ae382bced28ff5b57ee17c11550dcc6afda8000a0a2dcccae69fa1d1c2
Opcode Fuzzy Hash: acec66f5a7cd548930cd88f1a407453a50ef34f282fe94a83fe0b9c957d524c6
Instruction Fuzzy Hash: 92512D71A00615AFDB18DF68CD99AAEBBB6FF48310F109169F51AE6290D770AE00CF50

Function 00628BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00628F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00628BE8,?,00000000,?,?,?,?,00628BBA,00000000,?), ref: 00628FC5

DestroyWindow.USER32(?), ref: 00628C81
KillTimer.USER32(00000000,?,?,?,?,00628BBA,00000000,?), ref: 00628D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00666973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00628BBA,00000000,?), ref: 006669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00628BBA,00000000,?), ref: 006669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00628BBA,00000000), ref: 006669D4
DeleteObject.GDI32(00000000), ref: 006669E6

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 19bf21c14fbc0ab6fc833aff26197df1558bc1aa878a61cf1925f0d0b7109892
Instruction ID: ad21a7bff7950a57e63855dfe20df33dd45a30e772b511aef94be953fbe14543
Opcode Fuzzy Hash: 19bf21c14fbc0ab6fc833aff26197df1558bc1aa878a61cf1925f0d0b7109892
Instruction Fuzzy Hash: 51618B31602B61DFCB259F14EE48B6977F3FB42312F14591DE0429B660CB35A895DF90

Function 00629838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00629944: GetWindowLongW.USER32(?,000000EB), ref: 00629952

GetSysColor.USER32(0000000F), ref: 00629862

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d06c08772d86b125ab20f30b4ff14a70ef1ec0153447fc60b7f8e5ba0dd37957
Instruction ID: 72de45fe83c02e13327263b2dc0db5a2c0db591b49231b511a1a5f512fbc8776
Opcode Fuzzy Hash: d06c08772d86b125ab20f30b4ff14a70ef1ec0153447fc60b7f8e5ba0dd37957
Instruction Fuzzy Hash: 8041A331504A509FDB245F38AC84BB937A7EB97334F185A55F9A28B2E1C7359C42DF20

Function 00648D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.c, xrefs: 0064903A, 00648FD0, 00648FF2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: .c
API String ID: 0-2099080748
Opcode ID: 465a24425ed573a067142adf2e1bf0d0c642720d007ce05d29b2205b3e2f659a
Instruction ID: 3bb74d2b4684f38efaba5c84d3c5e9cfd5a69213cdb6e6eb950c9dcbeba03230
Opcode Fuzzy Hash: 465a24425ed573a067142adf2e1bf0d0c642720d007ce05d29b2205b3e2f659a
Instruction Fuzzy Hash: C6C1C074D44249AFDB51DFA8D841BEEBBB2AF0A310F14419DF814AB392C7709A42CB75

Function 006796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0065F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00679717
LoadStringW.USER32(00000000,?,0065F7F8,00000001), ref: 00679720

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0065F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00679742
LoadStringW.USER32(00000000,?,0065F7F8,00000001), ref: 00679745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00679866

Strings

Line %d (File "%s"):, xrefs: 0067978F
Error: , xrefs: 0067981D
%s (%d) : ==> %s: %s %s, xrefs: 0067984A
Line %d:, xrefs: 006797A0
^ ERROR, xrefs: 006797FB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 9b360d08844226c1262d19b0415679fff1843bb3bd0ce36bd9f2f18db6c580ad
Instruction ID: ca5c892a76561ee564918d1a3510ba2394ce5d27e8811b809b2922eaba2809fa
Opcode Fuzzy Hash: 9b360d08844226c1262d19b0415679fff1843bb3bd0ce36bd9f2f18db6c580ad
Instruction Fuzzy Hash: CB416172800219AACB44FBE0CD52DEE737AAF15340F144429F60672192EB356F88CB75

Function 006706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00670804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0067082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00670837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0067083C

Strings

\IPC$, xrefs: 00670784
SOFTWARE\Classes\, xrefs: 0067070E
\CLSID, xrefs: 00670724

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 451b196ffb0f0f32b62a85e82316acd89e983ce6e348746747a7d78af8b5c62c
Instruction ID: 0cdfe56c843025cb733e14e7b90346e44a94aa15d56cc0f889906cf3ba335219
Opcode Fuzzy Hash: 451b196ffb0f0f32b62a85e82316acd89e983ce6e348746747a7d78af8b5c62c
Instruction Fuzzy Hash: 24410972C10229EBDF15EBA4DC958EDB77ABF04350B09412AE915A7261EB306E44CFA4

Function 00693C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00693C5C
CoInitialize.OLE32(00000000), ref: 00693C8A
CoUninitialize.OLE32 ref: 00693C94
_wcslen.LIBCMT ref: 00693D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00693DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00693ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00693F0E
CoGetObject.OLE32(?,00000000,006AFB98,?), ref: 00693F2D
SetErrorMode.KERNEL32(00000000), ref: 00693F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00693FC4
VariantClear.OLEAUT32(?), ref: 00693FD8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 96ad757822d503a566bd308f98105759c4d4994d2317d0210b6ae09f3fdabca3
Instruction ID: b1e0cb5c85595273a84f5e09b03fb9e2718ab57355f147b25252bb5e694fbba0
Opcode Fuzzy Hash: 96ad757822d503a566bd308f98105759c4d4994d2317d0210b6ae09f3fdabca3
Instruction Fuzzy Hash: DDC123716082159FDB00DF68C88496BBBEAFF89754F04491DF98A9B310DB30EE46CB52

Function 00687A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00687AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00687B8F
SHGetDesktopFolder.SHELL32(?), ref: 00687BA3
CoCreateInstance.OLE32(006AFD08,00000000,00000001,006D6E6C,?), ref: 00687BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00687C74
CoTaskMemFree.OLE32(?,?), ref: 00687CCC
SHBrowseForFolderW.SHELL32(?), ref: 00687D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00687D7A
CoTaskMemFree.OLE32(00000000), ref: 00687D81
CoTaskMemFree.OLE32(00000000), ref: 00687DD6
CoUninitialize.OLE32 ref: 00687DDC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1540291e5a1bdd5503e73fa3fb903a52bdc7cf3f8a4da2356954c9b5ee5e7a86
Instruction ID: 149532993f0274bc145fbb0dff63c360706c99b43f8934303bfe90f036da06af
Opcode Fuzzy Hash: 1540291e5a1bdd5503e73fa3fb903a52bdc7cf3f8a4da2356954c9b5ee5e7a86
Instruction Fuzzy Hash: CFC10C75A04109AFCB14EFA4C884DAEBBFAFF48314B148599E4199B361D730ED45CF94

Function 006A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A5515
CharNextW.USER32(00000158), ref: 006A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A55AC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f7a1750285e770406d33c51036d94f7400e3e256f64613f7d5d791315c795136
Instruction ID: 89145fa8aa06f64088906df18935862e5605feb8dc9bfdf234ab99a056ae5a13
Opcode Fuzzy Hash: f7a1750285e770406d33c51036d94f7400e3e256f64613f7d5d791315c795136
Instruction Fuzzy Hash: C9615B71904608EBDB10EF54CC849FE7BBAEB0B720F104149F926AA291D7749E81DFA1

Function 0066FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0066FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0066FB08
VariantInit.OLEAUT32(?), ref: 0066FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0066FB3A
VariantCopy.OLEAUT32(?,?), ref: 0066FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0066FBA1
VariantClear.OLEAUT32(?), ref: 0066FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0066FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0066FBCC
VariantClear.OLEAUT32(?), ref: 0066FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0066FBE9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b43618bf93e7f4e2174b7f538b5c8dc79a4e34492be07023a78460ddbb767839
Instruction ID: 4e22463c72b8dabe6999b719a1a1caab68b77030c916fe0b05ddf4f747d0fca1
Opcode Fuzzy Hash: b43618bf93e7f4e2174b7f538b5c8dc79a4e34492be07023a78460ddbb767839
Instruction Fuzzy Hash: 36413375A00219DFCB00EFA4D854DEDBBBAFF49354F008069E955A7261DB30E945CF94

Function 00679C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00679CA1
GetAsyncKeyState.USER32(000000A0), ref: 00679D22
GetKeyState.USER32(000000A0), ref: 00679D3D
GetAsyncKeyState.USER32(000000A1), ref: 00679D57
GetKeyState.USER32(000000A1), ref: 00679D6C
GetAsyncKeyState.USER32(00000011), ref: 00679D84
GetKeyState.USER32(00000011), ref: 00679D96
GetAsyncKeyState.USER32(00000012), ref: 00679DAE
GetKeyState.USER32(00000012), ref: 00679DC0
GetAsyncKeyState.USER32(0000005B), ref: 00679DD8
GetKeyState.USER32(0000005B), ref: 00679DEA

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: aadabc936e02270a0b7553006a1665e8cdb548c32aa8b703adc75b5a568ba023
Instruction ID: 1d9f49433293b846e130d11aa5fc145fd44a9f2968a3784ba6a4d4c912e492cb
Opcode Fuzzy Hash: aadabc936e02270a0b7553006a1665e8cdb548c32aa8b703adc75b5a568ba023
Instruction Fuzzy Hash: 6541B834504BC96DFF31966484043F5BEE3AF12344F08C05ADACA567C2EBA5A9C4CBB2

Function 0069055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006905BC
inet_addr.WSOCK32(?), ref: 0069061C
gethostbyname.WSOCK32(?), ref: 00690628
IcmpCreateFile.IPHLPAPI ref: 00690636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006907B9
WSACleanup.WSOCK32 ref: 006907BF

Strings

Ping, xrefs: 00690676

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f7e9931520979e4d7edbd874efcd47fc4d20d2a696deed9f11f850af3f64c311
Instruction ID: e12845eb0cbc990d7a1e0a687e25407a5eb4724d29fdd35c4c0f7ce41d34a33d
Opcode Fuzzy Hash: f7e9931520979e4d7edbd874efcd47fc4d20d2a696deed9f11f850af3f64c311
Instruction Fuzzy Hash: 36918E35604201AFEB20DF15C488F5ABBE6AF44328F1585A9E4698FBA2C730FC41CF91

Function 00698CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00698CF3

Part of subcall function 00678E54: _wcslen.LIBCMT ref: 00678E77

_wcslen.LIBCMT ref: 00698D4E
_wcslen.LIBCMT ref: 00698D9C
_wcslen.LIBCMT ref: 00698DDC
_wcslen.LIBCMT ref: 00698E6E

Strings

winapi, xrefs: 00698D96, 00698D9B
stdcall, xrefs: 00698DD6, 00698DDB
none, xrefs: 00698E65, 00698E6A
cdecl, xrefs: 00698D48, 00698D4D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6a89b8bf71b6038b322d8d14495691f4d779ad9922c26203991b58027dbd396c
Instruction ID: d4f23783f952a87542e91f2c890f8e00186398b93c1fe8e774b75ab7ea65f9f7
Opcode Fuzzy Hash: 6a89b8bf71b6038b322d8d14495691f4d779ad9922c26203991b58027dbd396c
Instruction Fuzzy Hash: 3C518D31A001169ECF14DF68C9609FEB7ABAF66320B24422AE426E77C4EB35DD45C790

Function 0069372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00693774
CoUninitialize.OLE32 ref: 0069377F
CoCreateInstance.OLE32(?,00000000,00000017,006AFB78,?), ref: 006937D9
IIDFromString.OLE32(?,?), ref: 0069384C
VariantInit.OLEAUT32(?), ref: 006938E4
VariantClear.OLEAUT32(?), ref: 00693936

Strings

Failed to create object, xrefs: 006937E4, 0069389A
NULL Pointer assignment, xrefs: 0069381E
Invalid parameter, xrefs: 00693865

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3b8b61e31ea4ad02b21137c9f9b3cfb6707e7807ffb35e596a596baae7c8a8a3
Instruction ID: af4babdf8f9676c1eff3217d1f4b12c69b5dd02ba86cbe2396d24bc6413d6593
Opcode Fuzzy Hash: 3b8b61e31ea4ad02b21137c9f9b3cfb6707e7807ffb35e596a596baae7c8a8a3
Instruction Fuzzy Hash: D961A070608321AFD710DF54C948BAABBEAEF49710F00480EF9859B791D770EE49CB96

Function 006A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

Part of subcall function 0062912D: GetCursorPos.USER32(?), ref: 00629141
Part of subcall function 0062912D: ScreenToClient.USER32(00000000,?), ref: 0062915E
Part of subcall function 0062912D: GetAsyncKeyState.USER32(00000001), ref: 00629183
Part of subcall function 0062912D: GetAsyncKeyState.USER32(00000002), ref: 0062919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 006A8B6B
ImageList_EndDrag.COMCTL32 ref: 006A8B71
ReleaseCapture.USER32 ref: 006A8B77
SetWindowTextW.USER32(?,00000000), ref: 006A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 006A8CFF

Strings

@GUI_DROPID, xrefs: 006A8C51
p#n, xrefs: 006A8C71
@GUI_DRAGFILE, xrefs: 006A8C9A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#n
API String ID: 1924731296-3599589490
Opcode ID: 9bf42459d3ff8fe14b3d104c53358293f7799585a2b77b86625f462635e61f78
Instruction ID: 1ef0e3ed177331942bf6744fb9b3c6623f0c3a864bf64bf025e2c1bc695ba3de
Opcode Fuzzy Hash: 9bf42459d3ff8fe14b3d104c53358293f7799585a2b77b86625f462635e61f78
Instruction Fuzzy Hash: 33517C70504344AFD704EF14DC96FAA77E6EB86720F00052DF9925B2A2DB70AD54CF66

Function 00683388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006833CF

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006833F0

Strings

Line %d (File "%s"):, xrefs: 00683443, 0068345C
Error: , xrefs: 006834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00683504
^ ERROR , xrefs: 0068349E
Incorrect parameters to object property !, xrefs: 006834AB
"%s" (%d) : ==> %s:, xrefs: 00683522

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 95a6185693a76505b150135111cb86fd16e9e68498b2d5ba9a4db204be22baa4
Instruction ID: a7a5b07c991a1bcaaf90773f226a03273d6ac124bc1aa02a123c534a9e2f2f36
Opcode Fuzzy Hash: 95a6185693a76505b150135111cb86fd16e9e68498b2d5ba9a4db204be22baa4
Instruction Fuzzy Hash: 3B51AE71C00219AADF54EBA0CD42EEEB3BAAF04740F184169F50572292EB312F98DF65

Function 0067B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0067B5FC
_wcslen.LIBCMT ref: 0067B608
_wcslen.LIBCMT ref: 0067B64D
_wcslen.LIBCMT ref: 0067B68C
_wcslen.LIBCMT ref: 0067B6C7

Strings

APPEND, xrefs: 0067B6C1, 0067B6C6
EXISTS, xrefs: 0067B686, 0067B68B
REMOVE, xrefs: 0067B602, 0067B607
KEYS, xrefs: 0067B647, 0067B64C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 18de55ec6d6a8706cd7bd2de6f451cfbe4f6474ed1dd5b0badfc8cec6270829e
Instruction ID: 197ec1b4d1ddb34386d9c4ec785c7245ccf6a836a68380b852cc8970fec59f59
Opcode Fuzzy Hash: 18de55ec6d6a8706cd7bd2de6f451cfbe4f6474ed1dd5b0badfc8cec6270829e
Instruction Fuzzy Hash: F541C932A001269BCB106F7DC8906FEB7A7AF61764B249129E629D7384E735CD81C790

Function 00685393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00685416
GetLastError.KERNEL32 ref: 00685420
SetErrorMode.KERNEL32(00000000,READY), ref: 006854A7

Strings

UNKNOWN, xrefs: 00685444
READONLY, xrefs: 00685452
NOTREADY, xrefs: 0068544B
READY, xrefs: 00685460, 00685468
INVALID, xrefs: 00685459

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 53245a979719e076d36fd694a0398e0568aac5186a73079a7ed748b29e935383
Instruction ID: 10a908713d8213816198929b5cb35889752242bad70f2f023fe1a429d60658f6
Opcode Fuzzy Hash: 53245a979719e076d36fd694a0398e0568aac5186a73079a7ed748b29e935383
Instruction Fuzzy Hash: A731A335A006049FD710EF68C484AEABBF6EF45305F188169E506CB392DB71ED86CB90

Function 006A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 006A3C79
SetMenu.USER32(?,00000000), ref: 006A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A3D10
IsMenu.USER32(?), ref: 006A3D24
CreatePopupMenu.USER32 ref: 006A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A3D5B
DrawMenuBar.USER32 ref: 006A3D63

Strings

F, xrefs: 006A3D4E
0, xrefs: 006A3C54

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3c6f47c0d8766823a2008230fff882858d3706f5c333d683bf300f58c718fcda
Instruction ID: 69315141baaa23f544fc538c7fb364bb243a0d306d209f83b49527cd419c6e53
Opcode Fuzzy Hash: 3c6f47c0d8766823a2008230fff882858d3706f5c333d683bf300f58c718fcda
Instruction Fuzzy Hash: 90415C75A01219EFDB14EF64D884AEA7BB6FF4A350F140029F946A7360D730AE10CF94

Function 00671EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00671F64
GetDlgCtrlID.USER32 ref: 00671F6F
GetParent.USER32 ref: 00671F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00671F8E
GetDlgCtrlID.USER32(?), ref: 00671F97
GetParent.USER32(?), ref: 00671FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00671FAE

Strings

ComboBox, xrefs: 00671EEC
ListBox, xrefs: 00671F21

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ff950a0e58804ab28ff1c43d96737ab1d7a43d75e79a03f753840bbb8d826f2e
Instruction ID: f4ed50558a00e61135cf70494d74d8aa4d1599e340541ddb19d27163f1eea98f
Opcode Fuzzy Hash: ff950a0e58804ab28ff1c43d96737ab1d7a43d75e79a03f753840bbb8d826f2e
Instruction Fuzzy Hash: F621C270900214BBCF15EFA4CC95DEEBBBAEF06350B10911AF96567291CB385944DB64

Function 006A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 006A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006A3C13

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 18512b5f4a02d6ddbd65c52283a3b698b73a6ecbbe787a46cd6c6277c8a6e1d4
Instruction ID: 2dfa818e027db5f30daf03a5172447a2234720f4d6e82d2261212b3bb9d81f08
Opcode Fuzzy Hash: 18512b5f4a02d6ddbd65c52283a3b698b73a6ecbbe787a46cd6c6277c8a6e1d4
Instruction Fuzzy Hash: 9A615B75900258AFDB10DFA8CC81EEE77BAEB0A710F104199FA15AB391D770AE45DF60

Function 0067B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0067B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B165
GetWindowThreadProcessId.USER32(00000000), ref: 0067B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0067B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0067A1E1,?,00000001), ref: 0067B21D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fac31aeb50b58c13902063364c9991bb67eab1b2b7d77ddbd9e5c9e17a21b03f
Instruction ID: 94949222b8683bf7067583452013a0800f00dab61477418f82e53de1a6891994
Opcode Fuzzy Hash: fac31aeb50b58c13902063364c9991bb67eab1b2b7d77ddbd9e5c9e17a21b03f
Instruction Fuzzy Hash: CA315C75500318AFDB10AF64DC88BBD7BABAB51321F14B415FA19DB391E7B4AE408F60

Function 00642C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00642C94

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

_free.LIBCMT ref: 00642CA0
_free.LIBCMT ref: 00642CAB
_free.LIBCMT ref: 00642CB6
_free.LIBCMT ref: 00642CC1
_free.LIBCMT ref: 00642CCC
_free.LIBCMT ref: 00642CD7
_free.LIBCMT ref: 00642CE2
_free.LIBCMT ref: 00642CED
_free.LIBCMT ref: 00642CFB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c31baeb4da4e05b8c6aba8b0ad2672190d6e64ce69c6aea86b76fa654623dde6
Instruction ID: 6de8a170bf93af78d158a679b5fce5a18b992b9c82a49617ac61d83b833bdd55
Opcode Fuzzy Hash: c31baeb4da4e05b8c6aba8b0ad2672190d6e64ce69c6aea86b76fa654623dde6
Instruction Fuzzy Hash: E811E976100109BFDB42EF56D892CDD3BA6FF05750FA144A8F9489F222DA31EE509B94

Function 00687DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00687FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00687FC1
GetFileAttributesW.KERNEL32(?), ref: 00687FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00688005
SetCurrentDirectoryW.KERNEL32(?), ref: 00688017
SetCurrentDirectoryW.KERNEL32(?), ref: 00688060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006880B0

Strings

*.*, xrefs: 00688066

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7e0e4cef1d0ee71c0d6573a26e6bab0d79f6097a858ba55479433a515498eadd
Instruction ID: 33dafd6b5d219a1f9daa6f976511ffe98498baf10fe398297a10bb016a049bfe
Opcode Fuzzy Hash: 7e0e4cef1d0ee71c0d6573a26e6bab0d79f6097a858ba55479433a515498eadd
Instruction Fuzzy Hash: 4E81B2725082059FCB20FF14C4449AEB3EABF89310F644E5EF885D7250EB75ED458B92

Function 00615BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00615C7A

Part of subcall function 00615D0A: GetClientRect.USER32(?,?), ref: 00615D30
Part of subcall function 00615D0A: GetWindowRect.USER32(?,?), ref: 00615D71
Part of subcall function 00615D0A: ScreenToClient.USER32(?,?), ref: 00615D99

GetDC.USER32 ref: 006546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00654708
SelectObject.GDI32(00000000,00000000), ref: 00654716
SelectObject.GDI32(00000000,00000000), ref: 0065472B
ReleaseDC.USER32(?,00000000), ref: 00654733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006547C4

Strings

U, xrefs: 00654693

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 17ee7df785f2cf4148b43e382f0fca6540761af801811bfcf51ba0b44b9cd8ba
Instruction ID: 2f952f922290d4d610e0bb373b3171b5095ba3f4e459fe26b8b2eb459abc05af
Opcode Fuzzy Hash: 17ee7df785f2cf4148b43e382f0fca6540761af801811bfcf51ba0b44b9cd8ba
Instruction Fuzzy Hash: 5B71E334400205DFCF219F64C984AEA7BB7FF4A329F1842A9ED565A266CB319CC5DF50

Function 0068359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006835E4

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

LoadStringW.USER32(006E2390,?,00000FFF,?), ref: 0068360A

Strings

Line %d (File "%s"):, xrefs: 0068366B
Error: , xrefs: 006836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00683724
"%s" (%d) : ==> %s:, xrefs: 00683742
^ ERROR, xrefs: 006836C9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 11cd3a5a1faed38d5ff2197f99dd4787db66e92a2f269db71bc5042056ee718f
Instruction ID: 4e31a171dcb93fa4c36c2a11f1e9ef669de3f87d5da8ca81f5e0d121891ec473
Opcode Fuzzy Hash: 11cd3a5a1faed38d5ff2197f99dd4787db66e92a2f269db71bc5042056ee718f
Instruction Fuzzy Hash: E2519171C00259BADF54EBA0CC42EEDBB76AF04710F184129F50576291EB316AD9DFA8

Function 0068C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0068C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0068C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0068C2CA
GetLastError.KERNEL32 ref: 0068C322
SetEvent.KERNEL32(?), ref: 0068C336
InternetCloseHandle.WININET(00000000), ref: 0068C341

Strings

, xrefs: 0068C2BB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c9411e2dbcb0a7b5796c54f9c98a1b20b699e0139697ca1a4946f25ab7e7b92f
Instruction ID: eefbe8f62123110716951583de348b4b638f247dc7061b029d96b508124894d7
Opcode Fuzzy Hash: c9411e2dbcb0a7b5796c54f9c98a1b20b699e0139697ca1a4946f25ab7e7b92f
Instruction Fuzzy Hash: A7317FB1500604AFD721AF649C88AAB7BFEEB49764F10861EF44692240DB34ED069B70

Function 0067989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00653AAF,?,?,Bad directive syntax error,006ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006798BC
LoadStringW.USER32(00000000,?,00653AAF,?), ref: 006798C3

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00679987

Strings

Line %d (File "%s"):, xrefs: 0067992D
Error: , xrefs: 00679955
., xrefs: 0067996D
Line %d:, xrefs: 00679912
%s (%d) : ==> %s.: %s %s, xrefs: 006798F1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b321c891e2849037111824f2527ea5203f648249e43f4c68dad395aa9cebab39
Instruction ID: c2ab2018bf12fd73a5d5770191b5b6285b071304c6cada781127fad35adf8016
Opcode Fuzzy Hash: b321c891e2849037111824f2527ea5203f648249e43f4c68dad395aa9cebab39
Instruction Fuzzy Hash: D3218531C00229ABDF15AF90CC06EED7777FF14310F08841AF51565191DB71A658DF64

Function 0067209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0067214D

Strings

smallicons, xrefs: 00672115
largeicons, xrefs: 006720E1
SHELLDLL_DefView, xrefs: 006720CC
details, xrefs: 006720FB
list, xrefs: 0067212F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 826c2636c5cfd68756970976e011b75833fcc59c3b6a837c25bd70bd7a503da6
Instruction ID: 04d78fea15cc925c25e8d4c2970bd28f8402357ce6ecac5fff119d71965a5332
Opcode Fuzzy Hash: 826c2636c5cfd68756970976e011b75833fcc59c3b6a837c25bd70bd7a503da6
Instruction Fuzzy Hash: D0115976A88307B9F6017221DC27CF7739FEB05324F20501BFB09A51D1FE6178425A58

Function 0064CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0064CEB7
_free.LIBCMT ref: 0064CF22
_free.LIBCMT ref: 0064CF48
_free.LIBCMT ref: 0064CF71
_free.LIBCMT ref: 0064CFA9
_free.LIBCMT ref: 0064CFDA
_free.LIBCMT ref: 0064D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0064D09C
_free.LIBCMT ref: 0064D0B5

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f00c12e4c0f06a5f134f6b05cae7e7774c543754189d8e788198af51749becc6
Instruction ID: ac69097a732e6f74021caa7d5f797ca45cf344e3382298413ec3cd8effd91f62
Opcode Fuzzy Hash: f00c12e4c0f06a5f134f6b05cae7e7774c543754189d8e788198af51749becc6
Instruction Fuzzy Hash: 39617AB1D05341AFEBA1AFB59C91AAE7BA7EF01730F14016DF9409B382DB359D0587A0

Function 006A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006A5186
ShowWindow.USER32(?,00000000), ref: 006A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006A51D1

Part of subcall function 006A6FBA: DeleteObject.GDI32(00000000), ref: 006A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 006A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006A5296

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5aa00b070f9b92de5a4b67e43cb03f003426b37653dc21529d0f2c300f91f6dc
Instruction ID: c42e2ab5dee31ac9c4d73461e7f3856f411e6662fe7be91d23fae778a452370e
Opcode Fuzzy Hash: 5aa00b070f9b92de5a4b67e43cb03f003426b37653dc21529d0f2c300f91f6dc
Instruction Fuzzy Hash: 1D517D30A50A08BEEF20FF24DC4ABE93B67AB07325F144015F6169A2E1C775AE90DF51

Function 00628B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00666890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00628874,00000000,00000000,00000000,000000FF,00000000), ref: 00666901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0066691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00628874,00000000,00000000,00000000,000000FF,00000000), ref: 0066692D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b287cf032590a2d2606547b08f3009b23eed87a3f0af50829d07a88f59b657d0
Instruction ID: 5026ef0173da770ce38a5c66983a701e7a7f4e4002030ca88394c40364176a7a
Opcode Fuzzy Hash: b287cf032590a2d2606547b08f3009b23eed87a3f0af50829d07a88f59b657d0
Instruction Fuzzy Hash: 3A51A970600609AFDB20DF24EC95FAA3BB7EB99361F10451CF9029B2A0DB70E990DF50

Function 0068C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0068C182
GetLastError.KERNEL32 ref: 0068C195
SetEvent.KERNEL32(?), ref: 0068C1A9

Part of subcall function 0068C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0068C272
Part of subcall function 0068C253: GetLastError.KERNEL32 ref: 0068C322
Part of subcall function 0068C253: SetEvent.KERNEL32(?), ref: 0068C336
Part of subcall function 0068C253: InternetCloseHandle.WININET(00000000), ref: 0068C341

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5363f96156bf47cc7e601c9ae77c847277c18ef002741b9a09cbd1d2ddc833ae
Instruction ID: cd9c23bdfce0d3b043a955f29a39cae8692129588ebf02a3c8e4b2c347d0a874
Opcode Fuzzy Hash: 5363f96156bf47cc7e601c9ae77c847277c18ef002741b9a09cbd1d2ddc833ae
Instruction Fuzzy Hash: 68318F71200601AFDB21AFB5DC58AB6BBFAFF59320B00861DF95682660DB31E914DF70

Function 006725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00673A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00673A57
Part of subcall function 00673A3D: GetCurrentThreadId.KERNEL32 ref: 00673A5E
Part of subcall function 00673A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006725B3), ref: 00673A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00672601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00672605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0067260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00672623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00672627

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e9055c4852029790cbb1adb90bfadf1d99d1670a5f842e18faaa9e7b0075f6a2
Instruction ID: 75de1fe7cb9d74f3d6d8b272c78923ee4d8bdf3c5ba4e08752aa7ca5fd51a4b8
Opcode Fuzzy Hash: e9055c4852029790cbb1adb90bfadf1d99d1670a5f842e18faaa9e7b0075f6a2
Instruction Fuzzy Hash: 3901D431390220BBFB107768DC8AF593F5ADB4EB22F105005F318AE1D1C9E228459E69

Function 00671803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00671449,?,?,00000000), ref: 0067180C
HeapAlloc.KERNEL32(00000000,?,00671449,?,?,00000000), ref: 00671813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00671449,?,?,00000000), ref: 00671828
GetCurrentProcess.KERNEL32(?,00000000,?,00671449,?,?,00000000), ref: 00671830
DuplicateHandle.KERNEL32(00000000,?,00671449,?,?,00000000), ref: 00671833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00671449,?,?,00000000), ref: 00671843
GetCurrentProcess.KERNEL32(00671449,00000000,?,00671449,?,?,00000000), ref: 0067184B
DuplicateHandle.KERNEL32(00000000,?,00671449,?,?,00000000), ref: 0067184E
CreateThread.KERNEL32(00000000,00000000,00671874,00000000,00000000,00000000), ref: 00671868

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0f1d5dbd6e5ea5b7f477334fa13c44a503bac5a31420ca7558b18056feaa219d
Instruction ID: f37932893fba51362fc5c288f5b145c5a2b5778a5d14f2dc1713a1bef1286912
Opcode Fuzzy Hash: 0f1d5dbd6e5ea5b7f477334fa13c44a503bac5a31420ca7558b18056feaa219d
Instruction Fuzzy Hash: DB01A8B5340308BFE710ABA5DC49F6B3BADEB8AB11F019411FA05DB1A1DA70AC008F20

Function 00643E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00643F0B
__alldvrm.LIBCMT ref: 0064410C
__alldvrm.LIBCMT ref: 0064412E

Strings

}}c, xrefs: 006440CD
}}c, xrefs: 00643E96, 00643EF1, 00643F0A, 00644090
}}c, xrefs: 00643E8A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}c$}}c$}}c
API String ID: 1036877536-2627086247
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b7047113f3f0a1889a226fbcf1e914dfd1b6affa7ff04f07656ce732e324717f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 2BA13771D003969FEB25CF18C8927FEBBE6EF62350F14416DE5959B381CA348986C750

Function 0069A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0067D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0067D501
Part of subcall function 0067D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0067D50F
Part of subcall function 0067D4DC: CloseHandle.KERNELBASE(00000000), ref: 0067D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069A16D
GetLastError.KERNEL32 ref: 0069A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0069A268
GetLastError.KERNEL32(00000000), ref: 0069A273
CloseHandle.KERNEL32(00000000), ref: 0069A2C4

Strings

SeDebugPrivilege, xrefs: 0069A18F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 31d74c388b415b757fbfe8ee1600bb683275760b7e7d18417a25433fd08cc5bc
Instruction ID: a4a2cd8a1e0dfcf876b7b644d1bc17d28d9a79b20d1db4f73b552b3342321223
Opcode Fuzzy Hash: 31d74c388b415b757fbfe8ee1600bb683275760b7e7d18417a25433fd08cc5bc
Instruction Fuzzy Hash: BA6181302082419FDB10DF54C494F69BBE6AF45318F18849CE4668BBA3C776ED86CBD6

Function 006A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006A3954
_wcslen.LIBCMT ref: 006A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006A39F4

Strings

SysListView32, xrefs: 006A38F7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 3376b4af8afc03da222c9a72ccf713e0a38f2a19b8df06747c7c7b24501c4b0d
Instruction ID: 154bbf7d0faca8e692116febd297f591eaacaed4087199133a3649388a9c9d58
Opcode Fuzzy Hash: 3376b4af8afc03da222c9a72ccf713e0a38f2a19b8df06747c7c7b24501c4b0d
Instruction Fuzzy Hash: 64419571A00219ABDB21AF64CC45FEA77AAEF09350F10152AF958E7381D7759E84CF90

Function 0067BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0067BCFD
IsMenu.USER32(00000000), ref: 0067BD1D
CreatePopupMenu.USER32 ref: 0067BD53
GetMenuItemCount.USER32(00CD57E0), ref: 0067BDA4
InsertMenuItemW.USER32(00CD57E0,?,00000001,00000030), ref: 0067BDCC

Strings

0, xrefs: 0067BCA8
2, xrefs: 0067BD37

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3b2bd505b4a397104b29e2b402885d2133bf52136a6a29e55e9b648bc3e3733a
Instruction ID: e726e208c69183b98da1d4051ed7e050bfd402d559dad986f078cdd9932a5e3e
Opcode Fuzzy Hash: 3b2bd505b4a397104b29e2b402885d2133bf52136a6a29e55e9b648bc3e3733a
Instruction Fuzzy Hash: 0E519D70A002059FDB21DFA8D888BEEBBF6AF45324F14E259F419D7391E770A941CB61

Function 00632D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00632D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00632D53
_ValidateLocalCookies.LIBCMT ref: 00632DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00632E0C
_ValidateLocalCookies.LIBCMT ref: 00632E61

Strings

csm, xrefs: 00632DF6
&Hc, xrefs: 00632DFE, 00632E07, 00632E18

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hc$csm
API String ID: 1170836740-746070727
Opcode ID: 54e667ca76ed1fe5f3f5df9fe5b6c864311819af97a6df2e672cf333b2a2c442
Instruction ID: a12d548b163bfee8dadd540b10581d3109b9a60f5ec3c6477ede3b319073df6e
Opcode Fuzzy Hash: 54e667ca76ed1fe5f3f5df9fe5b6c864311819af97a6df2e672cf333b2a2c442
Instruction Fuzzy Hash: 12419234E0021AABCF10DF68C865ADEBBB6BF45324F148159E915AB392D731EA45CBD0

Function 0067C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0067C913

Strings

stop, xrefs: 0067C8E4
question, xrefs: 0067C8CC
blank, xrefs: 0067C895
warning, xrefs: 0067C8FC
info, xrefs: 0067C8B4

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d75824040ee341cd901c4d528446f751719ecb33a1b01523a5fcf47e29e601db
Instruction ID: 330e0787e7887db9f6c82dc0d115b26c68038bf63cd7cf2c5efc7aee41f5f948
Opcode Fuzzy Hash: d75824040ee341cd901c4d528446f751719ecb33a1b01523a5fcf47e29e601db
Instruction Fuzzy Hash: E8110D3168930ABAE7015B55DC83CEAA79EDF15374F10402FF608A6382DB70AD0157A9

Function 0067DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0067DE42
gethostname.WSOCK32(?,00000100), ref: 0067DE5C
gethostbyname.WSOCK32(?), ref: 0067DE69
inet_ntoa.WSOCK32(?), ref: 0067DEAB
_strcat.LIBCMT ref: 0067DEB9
WSACleanup.WSOCK32 ref: 0067DEDE

Strings

0.0.0.0, xrefs: 0067DE87

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a53de804d01c37d7670488714dc15fa8111e4d6c022a31332935d1a7fc7ae208
Instruction ID: 7979fe7112a7128c91612356ebeb8f9bb7b6dffd6a5fbaf312777537beb9beb5
Opcode Fuzzy Hash: a53de804d01c37d7670488714dc15fa8111e4d6c022a31332935d1a7fc7ae208
Instruction Fuzzy Hash: E7113331900114AFDB61BB20DC0AEEE77BEDF15720F0141A9F009AA191EF71EA818EA0

Function 0067ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0067ED2A
_wcslen.LIBCMT ref: 0067ED3B
_wcslen.LIBCMT ref: 0067ED79
_wcslen.LIBCMT ref: 0067EDAF
_wcslen.LIBCMT ref: 0067EDDF
_wcslen.LIBCMT ref: 0067EDEF
_wcslen.LIBCMT ref: 0067EE2B
_wcslen.LIBCMT ref: 0067EE5A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a938d660b6d79ebeab805f6014ee7ba427b8865cdba6ae492d93bcb90578077e
Instruction ID: 31870b28666b13a07cfc4b896779d4329930049a51a2c51dada878e1190c0bc8
Opcode Fuzzy Hash: a938d660b6d79ebeab805f6014ee7ba427b8865cdba6ae492d93bcb90578077e
Instruction Fuzzy Hash: D9419565C1011875CB51EBF4C88AACFB7AAAF49710F5084AAF518E3161FB34E355C3EA

Function 0062F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0066682C,00000004,00000000,00000000), ref: 0062F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0066682C,00000004,00000000,00000000), ref: 0066F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0066682C,00000004,00000000,00000000), ref: 0066F454

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2a3e9e0ac7b702c957ce19a41a57ae5ea36d17746d92a0120f5d7ed506a57f39
Instruction ID: 7796ad97ef7557acea513581b19cddc1e52b126cc142ec5dee2c24f9aeb5b6b6
Opcode Fuzzy Hash: 2a3e9e0ac7b702c957ce19a41a57ae5ea36d17746d92a0120f5d7ed506a57f39
Instruction Fuzzy Hash: 03411C31A08E90BAC7399B29F8887AA7BF7AB56310F14543CF04756761DA31A8C1CF51

Function 006A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006A2D1B
GetDC.USER32(00000000), ref: 006A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 006A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 006A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006A2DE1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 99188c63772b01c686b2c0f09ef480e91de1422a563b93cc873dfc8317321a60
Instruction ID: 4f778b1036574f48b031a1d85671181adb249bf0714960500027702caefa00ce
Opcode Fuzzy Hash: 99188c63772b01c686b2c0f09ef480e91de1422a563b93cc873dfc8317321a60
Instruction Fuzzy Hash: 2F317F72241214BFEB11AF54CC89FEB7BAAEF0A725F045055FE089A291C675AC50CBA4

Function 00675622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00675637
_memcmp.LIBVCRUNTIME ref: 00675659
_memcmp.LIBVCRUNTIME ref: 00675671
_memcmp.LIBVCRUNTIME ref: 00675684
_memcmp.LIBVCRUNTIME ref: 0067569E
_memcmp.LIBVCRUNTIME ref: 006756B1
_memcmp.LIBVCRUNTIME ref: 006756C9
_memcmp.LIBVCRUNTIME ref: 006756E4

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ec4f3e3e57b6821d852706d03bd74628e46fd870b43a12f4ab8e17b3df4a55d9
Instruction ID: 452c3b4346f2160340e1ff76fbc1a3e54d246202d0724583fa4fb3df8d891328
Opcode Fuzzy Hash: ec4f3e3e57b6821d852706d03bd74628e46fd870b43a12f4ab8e17b3df4a55d9
Instruction Fuzzy Hash: 72212C61640A0977E21867118DA2FFB335FAF12394F448064FD0F9E641FFA1EE1185E9

Function 00694FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0069502E, 00695383
Not an Object type, xrefs: 00695007

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f99f98edde8f884ae30c3da1e9c186403f8d3fb10c49e5400105554a1dab1db4
Instruction ID: 4d1a3fd138da69fa26e6e1d723e37e1dea6ca1d39fdde94ed5ba7f7122262869
Opcode Fuzzy Hash: f99f98edde8f884ae30c3da1e9c186403f8d3fb10c49e5400105554a1dab1db4
Instruction Fuzzy Hash: 77D1C271A0060A9FDF11DFA8C880BEEB7BABF48354F148069E916AB781E771DD45CB50

Function 00651522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 006515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00651651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006516FB

Part of subcall function 00643820: RtlAllocateHeap.NTDLL(00000000,?,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6,?,00611129), ref: 00643852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00651777
__freea.LIBCMT ref: 006517A2
__freea.LIBCMT ref: 006517AE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 27641df9c3d9222644d2b2c312a33a396d0dd45e77b9eca71ad35ddb3f515a87
Instruction ID: 0be8b7031186438b1744154cf6234f5a3246f0cb9b913cdc05c73590aecef86b
Opcode Fuzzy Hash: 27641df9c3d9222644d2b2c312a33a396d0dd45e77b9eca71ad35ddb3f515a87
Instruction Fuzzy Hash: D891A571E002169ADF208E78C891BEE7BB79F4A711F184659EC01EF241EB35DD49CB60

Function 00694523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00694648
VariantInit.OLEAUT32(?), ref: 00694749
VariantClear.OLEAUT32(?), ref: 00694753
VariantClear.OLEAUT32(?), ref: 006947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006945D8, 00694706, 006947BE
Incorrect Object type in FOR..IN loop, xrefs: 0069472C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d5082ae3f2d20d9ed5100769eedb4da663048065f9023ccd308bb94f0d78dde1
Instruction ID: 07c40c3db957d305d0470678fc9838ad0321da3364c8a8eb4455c14235325bfe
Opcode Fuzzy Hash: d5082ae3f2d20d9ed5100769eedb4da663048065f9023ccd308bb94f0d78dde1
Instruction Fuzzy Hash: AB918371A00219ABDF24CFA5CC44FEE7BBAEF46714F108559F505AB680DB709946CFA0

Function 00681187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0068125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00681284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0068135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00681430

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 305daa37bc6263517bd06e4f40205f1f5cb8e8beed7805e1bce07f5ce760eecd
Instruction ID: 3a11fddc0814309fa439435b3b566bab52e3ce40b94f3f051931bbd70eff4b99
Opcode Fuzzy Hash: 305daa37bc6263517bd06e4f40205f1f5cb8e8beed7805e1bce07f5ce760eecd
Instruction Fuzzy Hash: 2C91F371A002189FDB00EF94C894BFEB7FAFF46321F144629E900EB291D774A946CB94

Function 0062948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6fd3c6f8b9a4ce2984449d0956361fdf7d355836f668d913fe8566db534df2f2
Instruction ID: 4f4090f70c33a16efe689206547e82ab5255ccdd6bbae8f247d182db46b200c7
Opcode Fuzzy Hash: 6fd3c6f8b9a4ce2984449d0956361fdf7d355836f668d913fe8566db534df2f2
Instruction Fuzzy Hash: 0D912771E00619AFCB10CFA9D884AEEBBBAFF89320F144059E515B7251D375AA42CF60

Function 00693947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0069396B
CharUpperBuffW.USER32(?,?), ref: 00693A7A
_wcslen.LIBCMT ref: 00693A8A
VariantClear.OLEAUT32(?), ref: 00693C1F

Part of subcall function 00680CDF: VariantInit.OLEAUT32(00000000), ref: 00680D1F
Part of subcall function 00680CDF: VariantCopy.OLEAUT32(?,?), ref: 00680D28
Part of subcall function 00680CDF: VariantClear.OLEAUT32(?), ref: 00680D34

Strings

AUTOIT.ERROR, xrefs: 00693A80, 00693A85
Incorrect Parameter format, xrefs: 006939A6, 00693BA1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f87b306b86e1540a30704b100a38383e58d07d7a8081fb779b0ebeb780ea3b0a
Instruction ID: 9c771f49cd9062ec01d1378f99f16808d211f11f0f724b70f1b521459632e056
Opcode Fuzzy Hash: f87b306b86e1540a30704b100a38383e58d07d7a8081fb779b0ebeb780ea3b0a
Instruction Fuzzy Hash: D79158756083119FCB44EF24C48096AB7EAFF89314F14882DF8899B351DB30EE46CB96

Function 00694BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0067000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?,?,0067035E), ref: 0067002B
Part of subcall function 0067000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?), ref: 00670046
Part of subcall function 0067000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?), ref: 00670054
Part of subcall function 0067000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?), ref: 00670064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00694C51
_wcslen.LIBCMT ref: 00694D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00694DCF
CoTaskMemFree.OLE32(?), ref: 00694DDA

Strings

NULL Pointer assignment, xrefs: 00694E23, 00694E52

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d0b715483afc4720ae5d8f6b2b7e07f6e963845425694ba9b5d314e3c39a9349
Instruction ID: 4cdfcc63432c13ec852dcc714dd55f8b2dc76a1e946b7d4de564b9cc7eb92ebc
Opcode Fuzzy Hash: d0b715483afc4720ae5d8f6b2b7e07f6e963845425694ba9b5d314e3c39a9349
Instruction Fuzzy Hash: 97911771D00219EFDF54DFA4C891EEEBBBABF08310F108569E919A7251DB349A45CFA0

Function 006A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006A2183
GetMenuItemCount.USER32(00000000), ref: 006A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006A21DD
_wcslen.LIBCMT ref: 006A2213
GetMenuItemID.USER32(?,?), ref: 006A224D
GetSubMenu.USER32(?,?), ref: 006A225B

Part of subcall function 00673A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00673A57
Part of subcall function 00673A3D: GetCurrentThreadId.KERNEL32 ref: 00673A5E
Part of subcall function 00673A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006725B3), ref: 00673A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006A22E3

Part of subcall function 0067E97B: Sleep.KERNEL32 ref: 0067E9F3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 16cc596a413170387efb87bb9932081b77ec4bceb4a975c2108ac4328fbadd88
Instruction ID: 1cfb0776b512c8f38a56de2343c8600838195ee32e09dceba51b733f48475f21
Opcode Fuzzy Hash: 16cc596a413170387efb87bb9932081b77ec4bceb4a975c2108ac4328fbadd88
Instruction Fuzzy Hash: 2C71A335E40206AFCB50EF68C851AAEB7F2EF49320F148459E916EB351DB34EE418F90

Function 006A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CD5510), ref: 006A7F37
IsWindowEnabled.USER32(00CD5510), ref: 006A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 006A801E
SendMessageW.USER32(00CD5510,000000B0,?,?), ref: 006A8051
IsDlgButtonChecked.USER32(?,?), ref: 006A8089
GetWindowLongW.USER32(00CD5510,000000EC), ref: 006A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006A80C3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4892deaf29a146df7695db8f9909b961408ea54ebcc229fa4e5c6c16ce8013fa
Instruction ID: 099fd7b73e0c8316782b2150c72b89c7852744f51d6d8391c2f1a0f465b69a52
Opcode Fuzzy Hash: 4892deaf29a146df7695db8f9909b961408ea54ebcc229fa4e5c6c16ce8013fa
Instruction Fuzzy Hash: 6F715974608244AFEB21AF64CC94FEA7BBBAF0B300F144499E94597361CB31AE55DF20

Function 0067AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0067AEF9
GetKeyboardState.USER32(?), ref: 0067AF0E
SetKeyboardState.USER32(?), ref: 0067AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0067AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0067AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0067AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0067B020

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 65492250d3b99904c498e80f128bc55e2f5cb0d5c8dce5798940d8e9ff6e72d2
Instruction ID: e4e56b378fb89730dc4e6d0446f32691f3b4488c419a53b2d41f404ac55945d0
Opcode Fuzzy Hash: 65492250d3b99904c498e80f128bc55e2f5cb0d5c8dce5798940d8e9ff6e72d2
Instruction Fuzzy Hash: D951D1A06087D53DFB3682748845BFEBEAA5B46304F08D589E1ED859C3D398A8C4D752

Function 0067ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0067AD19
GetKeyboardState.USER32(?), ref: 0067AD2E
SetKeyboardState.USER32(?), ref: 0067AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0067ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0067ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0067AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0067AE38

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c2c5929978e515d3ea0c420efdb367da420909b214c4aa9c2624e45220cf8d3f
Instruction ID: a0c3d3e89319cafbccbec49afa860c9c57cdd562ae5997aa78840b23663655c1
Opcode Fuzzy Hash: c2c5929978e515d3ea0c420efdb367da420909b214c4aa9c2624e45220cf8d3f
Instruction Fuzzy Hash: 3051D4B15147D53DFB3683B48C55BBE7EAA5F86300F08C588E1DD46AC2D294EC84E752

Function 0064542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00653CD6,?,?,?,?,?,?,?,?,00645BA3,?,?,00653CD6,?,?), ref: 00645470
__fassign.LIBCMT ref: 006454EB
__fassign.LIBCMT ref: 00645506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00653CD6,00000005,00000000,00000000), ref: 0064552C
WriteFile.KERNEL32(?,00653CD6,00000000,00645BA3,00000000,?,?,?,?,?,?,?,?,?,00645BA3,?), ref: 0064554B
WriteFile.KERNEL32(?,?,00000001,00645BA3,00000000,?,?,?,?,?,?,?,?,?,00645BA3,?), ref: 00645584

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2c533ba7b8772ba293dafceafe837db82ed9ad1ccf572ad7c0c8e55f8d81c575
Instruction ID: 36ecbd4894beb9b65ae6ff1d606bb9d9fc23fb94ee0937039f6fcebe994c9801
Opcode Fuzzy Hash: 2c533ba7b8772ba293dafceafe837db82ed9ad1ccf572ad7c0c8e55f8d81c575
Instruction Fuzzy Hash: 8751F970A006499FDB15CFA8D845AEEBBF6EF09310F14415AF556E7392D730EA41CB60

Function 006910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0069304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0069307A
Part of subcall function 0069304E: _wcslen.LIBCMT ref: 0069309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00691112
WSAGetLastError.WSOCK32 ref: 00691121
WSAGetLastError.WSOCK32 ref: 006911C9
closesocket.WSOCK32(00000000), ref: 006911F9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e2fbee5cacdba3c06de881dcca98ca455f75b15cd315c12866a038f156950a9f
Instruction ID: 8feca36abbfe767759d44f8ae1b950c4f0b248e85041fe7e1b6d115a0861dfe4
Opcode Fuzzy Hash: e2fbee5cacdba3c06de881dcca98ca455f75b15cd315c12866a038f156950a9f
Instruction Fuzzy Hash: D441BF31600215AFDB10AF14C884BEABBEBEF46364F248059F9159F391C774ED828BA1

Function 0067CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0067DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0067CF22,?), ref: 0067DDFD

Part of subcall function 0067DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0067CF22,?), ref: 0067DE16

lstrcmpiW.KERNEL32(?,?), ref: 0067CF45
MoveFileW.KERNEL32(?,?), ref: 0067CF7F
_wcslen.LIBCMT ref: 0067D005
_wcslen.LIBCMT ref: 0067D01B
SHFileOperationW.SHELL32(?), ref: 0067D061

Strings

\*.*, xrefs: 0067CFF3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: fc1a2175bbde049540eaacdec753cc220c571f64135b008593f06756613ed29b
Instruction ID: 8088124bbef7950819a514631325017eb1016763b6de0c4ed7bf6681d65192db
Opcode Fuzzy Hash: fc1a2175bbde049540eaacdec753cc220c571f64135b008593f06756613ed29b
Instruction Fuzzy Hash: 784157719051185EDF52EFA4C981BDDB7BAAF49350F0044EAE509EB141EA34A788CF54

Function 006A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 006A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 006A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 006A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A2F0B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 958de4669fbe8d39f2b141666dd512d42b634396adc9976de73cfb1dd5e26303
Instruction ID: f22b3001f57d2c05dac2c5f24e7d3f9697f1bd574d9d24ee507d8880e06cabb4
Opcode Fuzzy Hash: 958de4669fbe8d39f2b141666dd512d42b634396adc9976de73cfb1dd5e26303
Instruction Fuzzy Hash: 2C31D130684252AFDB21EF58DC94FA537E2BB4B720F152164FA048F2A2CB71AC90DF51

Function 00677726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00677769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067778F
SysAllocString.OLEAUT32(00000000), ref: 00677792
SysAllocString.OLEAUT32(?), ref: 006777B0
SysFreeString.OLEAUT32(?), ref: 006777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006777DE
SysAllocString.OLEAUT32(?), ref: 006777EC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 41b5271bcbccdfa647f549eeeef47c25b88431c2fb4aa834d4c0b099a3c6c563
Instruction ID: bc571ebe4de8712225fac41c4ceee929528898ae951d83ae51a7998dcfcf37f0
Opcode Fuzzy Hash: 41b5271bcbccdfa647f549eeeef47c25b88431c2fb4aa834d4c0b099a3c6c563
Instruction Fuzzy Hash: D821C176604219AFDF14EFA8DC88CFB77EEEB093647008025FA08DB250D670EC428B64

Function 006777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00677842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00677868
SysAllocString.OLEAUT32(00000000), ref: 0067786B
SysAllocString.OLEAUT32 ref: 0067788C
SysFreeString.OLEAUT32 ref: 00677895
StringFromGUID2.OLE32(?,?,00000028), ref: 006778AF
SysAllocString.OLEAUT32(?), ref: 006778BD

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c3869a8325ac9b84b3a5d9733883949d0ef7e2f41e67d2e701189246a7a8db8d
Instruction ID: 22b66e5d6c3a9bf8215bfd1a6d3d5c0e99d1cbbdc648c7ede5149c23d938b42f
Opcode Fuzzy Hash: c3869a8325ac9b84b3a5d9733883949d0ef7e2f41e67d2e701189246a7a8db8d
Instruction Fuzzy Hash: 00213235604114AFDB10AFA8DC88DBA77EDEB097607108235F919CB2A1DA74EC41CB65

Function 006804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0068052E

Strings

nul, xrefs: 00680567

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 261b402598a4e861e35d66326cdaa7188902686880c0aedf51983ba65c35ed60
Instruction ID: ed2ea71ec524856c77c4ac3182e199eaf3f8ddd9f06e212d4c7c9702a5be8de2
Opcode Fuzzy Hash: 261b402598a4e861e35d66326cdaa7188902686880c0aedf51983ba65c35ed60
Instruction Fuzzy Hash: 06216DB5600305AFEB60AF29DD44A9A77F6AF45724F204F19F8A1E62E0D7709948CF31

Function 006805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00680601

Strings

nul, xrefs: 00680639

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 970d1a18eb2ce9c32f885fce98f323d408bb88a3269bb45e689370473a856daf
Instruction ID: e2b253b6e3a925e69c0c2c214d2c77a21663cacf2c7a07b77665800c4470b217
Opcode Fuzzy Hash: 970d1a18eb2ce9c32f885fce98f323d408bb88a3269bb45e689370473a856daf
Instruction Fuzzy Hash: AD2171755003059FEB60AF698C04A9A77F6AF95730F200F19F9A1E72E0E77099A5CB20

Function 006A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0061600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0061604C
Part of subcall function 0061600E: GetStockObject.GDI32(00000011), ref: 00616060
Part of subcall function 0061600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0061606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006A4145

Strings

Msctls_Progress32, xrefs: 006A40E3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f1e9ab0463e535f47340c7264bf1c834c7ba3bb6245592d99c166fc6137f0fe2
Instruction ID: 4113082026f85bd5bd1f4b075b220674079a0dccfad5e381e807f0e0c5a96a58
Opcode Fuzzy Hash: f1e9ab0463e535f47340c7264bf1c834c7ba3bb6245592d99c166fc6137f0fe2
Instruction Fuzzy Hash: 1811B2B2140219BEEF119F64CC85EE77FAEEF09798F014111FA18A6150CAB29C61DBA4

Function 0064D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064D7A3: _free.LIBCMT ref: 0064D7CC

_free.LIBCMT ref: 0064D82D

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

_free.LIBCMT ref: 0064D838
_free.LIBCMT ref: 0064D843
_free.LIBCMT ref: 0064D897
_free.LIBCMT ref: 0064D8A2
_free.LIBCMT ref: 0064D8AD
_free.LIBCMT ref: 0064D8B8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cff05ffac7fc4e43cf8f74031fa763a18b16b312df541884b707fa84d6b35c96
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: CC112171940B04ABEBA1BFB1CC47FCB7BDE6F04B00F80482DB299A6692DA75F5054654

Function 0067DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0067DA74
LoadStringW.USER32(00000000), ref: 0067DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0067DA91
LoadStringW.USER32(00000000), ref: 0067DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0067DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0067DAB9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ccdab5a85c2a35cf333c92d30cf22de32feaebd31a110d5baac613b82096f161
Instruction ID: 62c483a31aee6c0ea117184fed16140c3e0a18004c9df9bf2edb3e5c4d2dc5ae
Opcode Fuzzy Hash: ccdab5a85c2a35cf333c92d30cf22de32feaebd31a110d5baac613b82096f161
Instruction Fuzzy Hash: 0E0186F29002087FE710EBA4DD89EE737ADEB09711F405896F70AE2141EA74AE844F74

Function 0068096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CCEBD8,00CCEBD8), ref: 0068097B
EnterCriticalSection.KERNEL32(00CCEBB8,00000000), ref: 0068098D
TerminateThread.KERNEL32(?,000001F6), ref: 0068099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 006809A9
CloseHandle.KERNEL32(?), ref: 006809B8
InterlockedExchange.KERNEL32(00CCEBD8,000001F6), ref: 006809C8
LeaveCriticalSection.KERNEL32(00CCEBB8), ref: 006809CF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: bb777034423115e77d90317fc55b26acc959bf27432f227b0202a7e9779d08a0
Instruction ID: 1826d408e04cb6aaabd303acdabfe01bfc7ef780c8284b9ebfc557dbddcf7022
Opcode Fuzzy Hash: bb777034423115e77d90317fc55b26acc959bf27432f227b0202a7e9779d08a0
Instruction Fuzzy Hash: 21F03131542902BBEB416F94EE8CBD67B36FF02712F403115F101508A0CB74A565DF90

Function 00691C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00691DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00691DE1
WSAGetLastError.WSOCK32 ref: 00691DF2
htons.WSOCK32(?,?,?,?,?), ref: 00691EDB
inet_ntoa.WSOCK32(?), ref: 00691E8C

Part of subcall function 006739E8: _strlen.LIBCMT ref: 006739F2

Part of subcall function 00693224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0068EC0C), ref: 00693240

_strlen.LIBCMT ref: 00691F35

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 672b6e40bd3aa753d390b9474b0cf79a935c1de1d08f327727a54dba41873c85
Instruction ID: 1632038b916aa8404a080a01158564c4609a18cbf997bb59c30662ed9d5f07a3
Opcode Fuzzy Hash: 672b6e40bd3aa753d390b9474b0cf79a935c1de1d08f327727a54dba41873c85
Instruction Fuzzy Hash: 50B1E131204341AFC724DF24C895E6A7BEAAF85318F68894CF4564F3A2DB31ED46CB91

Function 00615D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00615D30
GetWindowRect.USER32(?,?), ref: 00615D71
ScreenToClient.USER32(?,?), ref: 00615D99
GetClientRect.USER32(?,?), ref: 00615ED7
GetWindowRect.USER32(?,?), ref: 00615EF8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a0cb743faff9cda26a5e87b400f8da40dd4b67d11b600fada3b9b76b09036092
Instruction ID: cd7431ae5ffadc92631e7f412d5c8b41e84f7e6f2e8f3a982b97effd06af6954
Opcode Fuzzy Hash: a0cb743faff9cda26a5e87b400f8da40dd4b67d11b600fada3b9b76b09036092
Instruction Fuzzy Hash: 0AB16B34A0074ADBDB14CFA9C4817EAB7F2FF44314F18941AE8AAD7250DB30EA95DB54

Function 006401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006400D6
__allrem.LIBCMT ref: 006400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0064010B
__allrem.LIBCMT ref: 00640122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00640140

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 92bb41a82559ca318d4e691eedd6c7f9b876ba42040c24f3a981b5a65ab59139
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: D781E572A007169BE720AF69CC41BAB73EBAF51724F24453EFA51DB781E770D9008B94

Function 006461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006382D9,006382D9,?,?,?,0064644F,00000001,00000001,8BE85006), ref: 00646258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0064644F,00000001,00000001,8BE85006,?,?,?), ref: 006462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006463D8
__freea.LIBCMT ref: 006463E5

Part of subcall function 00643820: RtlAllocateHeap.NTDLL(00000000,?,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6,?,00611129), ref: 00643852

__freea.LIBCMT ref: 006463EE
__freea.LIBCMT ref: 00646413

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3db0330d075be5cc74b8db5bdcd1670cb651828ef90dc922a84d018354324611
Instruction ID: d43ae23932f8dda5b16a38479c4febfb8f0f7203a4a690e89207dc0f1cd15e25
Opcode Fuzzy Hash: 3db0330d075be5cc74b8db5bdcd1670cb651828ef90dc922a84d018354324611
Instruction Fuzzy Hash: 1C51E172A00256ABEF268F64CC81EEF7BABEB46750F144669FC05D6280DB34DD41C6A1

Function 0069BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 0069C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069B6AE,?,?), ref: 0069C9B5
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069C9F1
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA68
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0069BD25
RegCloseKey.ADVAPI32(00000000), ref: 0069BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0069BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0069BDF3
RegCloseKey.ADVAPI32(?), ref: 0069BDFF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2b29b24704a6f6f07e5cee4b8376307e68803a05991a28f162bd6d2d5f760cdb
Instruction ID: d3b42e72d2127d8c9dc2efa7fd7074c493130d233b969b1619d2f04677cb6422
Opcode Fuzzy Hash: 2b29b24704a6f6f07e5cee4b8376307e68803a05991a28f162bd6d2d5f760cdb
Instruction Fuzzy Hash: 5981C130108241EFCB14DF24C995E6ABBEAFF85308F14895CF4594B2A2DB31ED45CB92

Function 0066F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0066F7B9
SysAllocString.OLEAUT32(00000001), ref: 0066F860
VariantCopy.OLEAUT32(0066FA64,00000000), ref: 0066F889
VariantClear.OLEAUT32(0066FA64), ref: 0066F8AD
VariantCopy.OLEAUT32(0066FA64,00000000), ref: 0066F8B1
VariantClear.OLEAUT32(?), ref: 0066F8BB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f367830a7c5920d4d437ed87a75be8f1ec40542f102d044b6f089c60c9107283
Instruction ID: 45e3df19b5ab4769ef08bb112575a6f6af44efb1d4059e36b8a9ca8c220c58c1
Opcode Fuzzy Hash: f367830a7c5920d4d437ed87a75be8f1ec40542f102d044b6f089c60c9107283
Instruction Fuzzy Hash: AB51D631A00310BBCF50AF65E895B69B3EBEF45310F24956AF906DF291DB709C41CB9A

Function 0068910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00617620: _wcslen.LIBCMT ref: 00617625

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006894E5
_wcslen.LIBCMT ref: 00689506
_wcslen.LIBCMT ref: 0068952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00689585

Strings

X, xrefs: 00689412

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a3649bde5c838b3ef38694451b33585d4d7e84bd32b4a3180fd8ebff1b10cae8
Instruction ID: 25cc6c1f50eef4b7704a3653aa544d0d23dd69bc231544fa6df174eb380f2f86
Opcode Fuzzy Hash: a3649bde5c838b3ef38694451b33585d4d7e84bd32b4a3180fd8ebff1b10cae8
Instruction Fuzzy Hash: A4E1B5315043509FC754EF24C881AAAB7E2BF85314F08896DF8999B3A2DB31DD45CBA6

Function 0062920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

BeginPaint.USER32(?,?,?), ref: 00629241
GetWindowRect.USER32(?,?), ref: 006292A5
ScreenToClient.USER32(?,?), ref: 006292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006292D3
EndPaint.USER32(?,?,?,?,?), ref: 00629321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006671EA

Part of subcall function 00629339: BeginPath.GDI32(00000000), ref: 00629357

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ec8edfcb093ccc34760dc9363fd4ffef3f2879fef5ca16f3432af2345cb0b399
Instruction ID: e9c8ddc00ca750b1d149bcda587b1d5a28a3f0d483609a1f3eda7518ba7bee15
Opcode Fuzzy Hash: ec8edfcb093ccc34760dc9363fd4ffef3f2879fef5ca16f3432af2345cb0b399
Instruction Fuzzy Hash: 93419D30105750AFD711EF24DC84FBA7BAAEB86724F14022AF9948B2E2C731A845DF61

Function 006807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0068080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00680847
EnterCriticalSection.KERNEL32(?), ref: 00680863
LeaveCriticalSection.KERNEL32(?), ref: 006808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00680921

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 65155c05c6cbb61a6414574db64d6bde87da8df859a7fca922241df7ce352195
Instruction ID: e0e9543f562213edf08c5d815ae676c55689efcd468b7dcbcaf3ed5cc12ecbcb
Opcode Fuzzy Hash: 65155c05c6cbb61a6414574db64d6bde87da8df859a7fca922241df7ce352195
Instruction Fuzzy Hash: 09418A71A00205EBEF45AF54DC85AAA777AFF05310F1044B9ED00AA297DB30EE64DFA4

Function 006A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0066F3AB,00000000,?,?,00000000,?,0066682C,00000004,00000000,00000000), ref: 006A824C
EnableWindow.USER32(?,00000000), ref: 006A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006A82D1
ShowWindow.USER32(?,00000004), ref: 006A82E5
EnableWindow.USER32(?,00000001), ref: 006A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006A832F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2eb467c73f8750e94224a7c1465eb49aa9157bcaa7df0c6b92846ae6c2670135
Instruction ID: 9305efede9aa789d1eb718549e020c04fd1a73b059873e7555a15d93a370b610
Opcode Fuzzy Hash: 2eb467c73f8750e94224a7c1465eb49aa9157bcaa7df0c6b92846ae6c2670135
Instruction Fuzzy Hash: AF419030601644EFDF25EF54D899BE47BE2BB0B714F1851A9E6484F2A2CB31AD41CF90

Function 00674C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00674C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00674CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00674CEA
_wcslen.LIBCMT ref: 00674D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00674D10
_wcsstr.LIBVCRUNTIME ref: 00674D1A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 384e965f7c7b02a4f9ebd0cee274fb654a7f79995425ec04df0b02964fc73173
Instruction ID: 3bb15de5f47694eb018356910887fb636472e81e2443ccbfd958ad4bbafa8b58
Opcode Fuzzy Hash: 384e965f7c7b02a4f9ebd0cee274fb654a7f79995425ec04df0b02964fc73173
Instruction Fuzzy Hash: D121FC31204110BBEB269B39EC4DE7B7BAEDF46760F10907DF849CA191EF61DC0196A0

Function 0068581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00613AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00613A97,?,?,00612E7F,?,?,?,00000000), ref: 00613AC2

_wcslen.LIBCMT ref: 0068587B
CoInitialize.OLE32(00000000), ref: 00685995
CoCreateInstance.OLE32(006AFCF8,00000000,00000001,006AFB68,?), ref: 006859AE
CoUninitialize.OLE32 ref: 006859CC

Strings

.lnk, xrefs: 00685876, 006858C1, 00685985

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d7b195e8dbd5e0e8b96bf6932fb205882e86e4e24f4d861c4d869ca202fc12c4
Instruction ID: 52991a3ba26a97855245e4df7078b22fdbd3617f4bfc9b121eb3cf59c8062b82
Opcode Fuzzy Hash: d7b195e8dbd5e0e8b96bf6932fb205882e86e4e24f4d861c4d869ca202fc12c4
Instruction Fuzzy Hash: E2D154756087019FC714EF24C4909AABBF2EF89710F148A5DF88A9B361DB31EC45CB92

Function 0067175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00670FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00670FCA
Part of subcall function 00670FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00670FD6
Part of subcall function 00670FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00670FE5
Part of subcall function 00670FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00670FEC
Part of subcall function 00670FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00671002

GetLengthSid.ADVAPI32(?,00000000,00671335), ref: 006717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006717BA
HeapAlloc.KERNEL32(00000000), ref: 006717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006717DA
GetProcessHeap.KERNEL32(00000000,00000000,00671335), ref: 006717EE
HeapFree.KERNEL32(00000000), ref: 006717F5

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cd14313e2f4c83597c14524729847dde3a8898110d7758a93648adb7b7550a46
Instruction ID: 2ececdae13585af57b66d0fcbe679e5587a4d73e7381e10211128699c326d23c
Opcode Fuzzy Hash: cd14313e2f4c83597c14524729847dde3a8898110d7758a93648adb7b7550a46
Instruction Fuzzy Hash: 8E118E71600205FFDB18AFA8CC49BEE7BAAEB47365F108019F4459B210D736AE44DF60

Function 006714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00671506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00671515
CloseHandle.KERNEL32(00000004), ref: 00671520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0067154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00671563

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6e37c2d985d0aa5c885a59ccb0cc0eb4513a49e58f9fb845fd1440364f1867ae
Instruction ID: aadcdc0d45d6351483e40d665ec3b40c54d54dd93ecd5a16ac2d5be131cce90c
Opcode Fuzzy Hash: 6e37c2d985d0aa5c885a59ccb0cc0eb4513a49e58f9fb845fd1440364f1867ae
Instruction Fuzzy Hash: 041159B250020DABDF11DF98DD49FDE7BAAEF4A714F048015FA09A6160C372DE64DB60

Function 00633382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00633379,00632FE5), ref: 00633390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0063339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006333B7
SetLastError.KERNEL32(00000000,?,00633379,00632FE5), ref: 00633409

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: af6ef5e5bf83129c7f9eb37c8cc333fee4b49d2ba56355527fe53b6e6ed5ec1e
Instruction ID: 541b333e901fff10795e8b054082d793f9917587939f371cc8ee69650b66c236
Opcode Fuzzy Hash: af6ef5e5bf83129c7f9eb37c8cc333fee4b49d2ba56355527fe53b6e6ed5ec1e
Instruction Fuzzy Hash: A0012833A0E332BEEB2427757C966966B97DB16379F20822EF410853F1EF124D0195C8

Function 00642D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00645686,00653CD6,?,00000000,?,00645B6A,?,?,?,?,?,0063E6D1,?,006D8A48), ref: 00642D78
_free.LIBCMT ref: 00642DAB
_free.LIBCMT ref: 00642DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0063E6D1,?,006D8A48,00000010,00614F4A,?,?,00000000,00653CD6), ref: 00642DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0063E6D1,?,006D8A48,00000010,00614F4A,?,?,00000000,00653CD6), ref: 00642DEC
_abort.LIBCMT ref: 00642DF2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 668ae82688b5b40da4f7540a8ebcde98aeee6abbf8388e45b3e9d26b0235bda4
Instruction ID: 828e8adeb36b2947ceff39e5823ee270f74d4e31ac268d83e8686c526b8e61df
Opcode Fuzzy Hash: 668ae82688b5b40da4f7540a8ebcde98aeee6abbf8388e45b3e9d26b0235bda4
Instruction Fuzzy Hash: B9F0F431D05A1367C7523339AC2AB5B265BAFC27B0B74001DF824922D2EE6098025124

Function 006A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00629639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00629693
Part of subcall function 00629639: SelectObject.GDI32(?,00000000), ref: 006296A2
Part of subcall function 00629639: BeginPath.GDI32(?), ref: 006296B9
Part of subcall function 00629639: SelectObject.GDI32(?,00000000), ref: 006296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 006A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006A8A70
LineTo.GDI32(?,00000000,00000003), ref: 006A8A80
EndPath.GDI32(?), ref: 006A8A90
StrokePath.GDI32(?), ref: 006A8AA0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 77ec4ab280d513441013c90622a3a93968a7e4348bf87743ed94c2c9c5ef9782
Instruction ID: e2b2a3cb8fd7c81a13e637b393d5a1ba83607480edd9a30ee8c017a4e71aac02
Opcode Fuzzy Hash: 77ec4ab280d513441013c90622a3a93968a7e4348bf87743ed94c2c9c5ef9782
Instruction Fuzzy Hash: 2D11DE7600015DFFDF11AF94DC88EDA7F6EEB06364F048011BA199A161C772AD55DFA0

Function 006751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00675218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00675229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00675230
ReleaseDC.USER32(00000000,00000000), ref: 00675238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0067524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00675261

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 913f3166f3cd70c351e5ecf737781e71718f50a04722b07313e88b6ef94d9374
Instruction ID: 97d569b74e08747454b02fc50d68921ffd6a963b8828411deb4eae6ee38c1671
Opcode Fuzzy Hash: 913f3166f3cd70c351e5ecf737781e71718f50a04722b07313e88b6ef94d9374
Instruction Fuzzy Hash: 83016275E00718BBEB10ABA59C49E5EBFBAEF49761F045065FA05A7381D6709D00CFA0

Function 00611BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00611BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00611BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00611C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00611C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00611C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00611C22

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 33877590d78f92f20fa14e2eedc300062f1c9e282a2fe7b5a93532fa5a951f60
Instruction ID: 1c2ff9880ae1bff5ea610d2ad6e6c4aad3f008030379722b8f55987ba373ec85
Opcode Fuzzy Hash: 33877590d78f92f20fa14e2eedc300062f1c9e282a2fe7b5a93532fa5a951f60
Instruction Fuzzy Hash: 140144B0902B5ABDE3009F6A8C85A52FEA8FF19354F04411BA15C4BA42C7B5A864CBE5

Function 0067EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0067EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0067EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0067EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0067EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0067EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0067EB75

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a1f7e90ab6f8553d9e9e741cfd5034c79d0951b21530016c345c341857d7a068
Instruction ID: fc93e0f47552db30d511353b05f9a9c16b0eff8f55dd4773c9448db2024557ab
Opcode Fuzzy Hash: a1f7e90ab6f8553d9e9e741cfd5034c79d0951b21530016c345c341857d7a068
Instruction Fuzzy Hash: 03F03072240558BBE7216B529C0DEEF3E7DEFCBB21F006159F601D1191DBA06A01CAB5

Function 00667439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00667452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00667469
GetWindowDC.USER32(?), ref: 00667475
GetPixel.GDI32(00000000,?,?), ref: 00667484
ReleaseDC.USER32(?,00000000), ref: 00667496
GetSysColor.USER32(00000005), ref: 006674B0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 7467bcf8548035dd8b0399d13a61e99b03e56dec2c41bcebcc54f88e0712d764
Instruction ID: ad9de0542f64ae9c51017ed1bc518cb6acfc4ef9bd90e1d05815e8053dd39d0d
Opcode Fuzzy Hash: 7467bcf8548035dd8b0399d13a61e99b03e56dec2c41bcebcc54f88e0712d764
Instruction Fuzzy Hash: 62018B31400215EFDB10AF64DD08BEE7BB7FB05321F102060F915A21A0CF312E51AF60

Function 00671874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0067187F
UnloadUserProfile.USERENV(?,?), ref: 0067188B
CloseHandle.KERNEL32(?), ref: 00671894
CloseHandle.KERNEL32(?), ref: 0067189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006718A5
HeapFree.KERNEL32(00000000), ref: 006718AC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8b5922773dc4ba09bf5fc40adf49c45a7b0121f1f3b74dd4935e2e8959393989
Instruction ID: a6906f66bd005c7919aa455b7906f549e3b797c2ebee7fc7d87b1058198fa299
Opcode Fuzzy Hash: 8b5922773dc4ba09bf5fc40adf49c45a7b0121f1f3b74dd4935e2e8959393989
Instruction Fuzzy Hash: 80E0E536204901BBDB016FA1ED0C90ABF7AFF4AB32B109220F22581070CB32A821EF50

Function 0061BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0061BEB3

Strings

D%n, xrefs: 0061BCA2
D%n, xrefs: 0061BE9A
D%nD%n, xrefs: 0061BCA5
D%n, xrefs: 0061BDED, 0061BD91, 0061BD1B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%n$D%n$D%n$D%nD%n
API String ID: 1385522511-3304344425
Opcode ID: 3299ebec34b15920c273b3ea5e5b953a27427df2ac9d80e601272b6499085f17
Instruction ID: 2f77456fda514b7783b4e38b953beb6f86b700d3b402f156c003d6431e0c8564
Opcode Fuzzy Hash: 3299ebec34b15920c273b3ea5e5b953a27427df2ac9d80e601272b6499085f17
Instruction Fuzzy Hash: 8D912975A0020ACFCB18CF59C0906EABBF3FF58310F289169D945AB350D771A982DBD0

Function 00697B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00630242: EnterCriticalSection.KERNEL32(006E070C,006E1884,?,?,0062198B,006E2518,?,?,?,006112F9,00000000), ref: 0063024D
Part of subcall function 00630242: LeaveCriticalSection.KERNEL32(006E070C,?,0062198B,006E2518,?,?,?,006112F9,00000000), ref: 0063028A

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 006300A3: __onexit.LIBCMT ref: 006300A9

__Init_thread_footer.LIBCMT ref: 00697BFB

Part of subcall function 006301F8: EnterCriticalSection.KERNEL32(006E070C,?,?,00628747,006E2514), ref: 00630202
Part of subcall function 006301F8: LeaveCriticalSection.KERNEL32(006E070C,?,00628747,006E2514), ref: 00630235

Strings

+Tf, xrefs: 00697E2E
G, xrefs: 00697C7F
5, xrefs: 00697C78
Variable must be of type 'Object'., xrefs: 00697C3A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tf$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3449942926
Opcode ID: 557bb36faafddb1296b0562e0929cb257269ea17e7bf489096ab9c5455888f41
Instruction ID: 454db1e34592b9d4b636f7817cc4d283ae315c497c311dc8fb5ac4a556d44013
Opcode Fuzzy Hash: 557bb36faafddb1296b0562e0929cb257269ea17e7bf489096ab9c5455888f41
Instruction Fuzzy Hash: 58918870A14209EFCF04EF94D8919ADB7BBAF48300F14804DF806AB792DB70AE85CB54

Function 0067C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00617620: _wcslen.LIBCMT ref: 00617625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0067C6EE
_wcslen.LIBCMT ref: 0067C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0067C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0067C7CA

Strings

0, xrefs: 0067C6AF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d908fa86a837a783385283e72d1efca0439d0b3903c8ad1de190df1d8a05ea7e
Instruction ID: 634b9044a9865d343fa36eb6be51e5cf844927e1e7f09d2b0c7ffb187c2c3546
Opcode Fuzzy Hash: d908fa86a837a783385283e72d1efca0439d0b3903c8ad1de190df1d8a05ea7e
Instruction Fuzzy Hash: 6E5101716043009BD7589F28C885BABB7EAAF4A320F048A2DF999D72D1DB70DC449F56

Function 0069AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0069AEA3

Part of subcall function 00617620: _wcslen.LIBCMT ref: 00617625

GetProcessId.KERNEL32(00000000), ref: 0069AF38
CloseHandle.KERNEL32(00000000), ref: 0069AF67

Strings

<, xrefs: 0069AE6B
@, xrefs: 0069AE72

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d7af4e6990b3ec10f5740773a2713d944c48ebdef833bbae36ede8d08bd227e7
Instruction ID: a6bb8bce2a8d920e9bfd99046ed284d60cdd3c72ab30a1b5346d6b93ba82a128
Opcode Fuzzy Hash: d7af4e6990b3ec10f5740773a2713d944c48ebdef833bbae36ede8d08bd227e7
Instruction Fuzzy Hash: B1714670A00619DFCF14DF94C484A9EBBF6AF08310F08849DE856AB762CB75ED85CB95

Function 0067719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00677206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0067723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0067724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006772CF

Strings

DllGetClassObject, xrefs: 00677242

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 20c0f66ecbd6c9932bc0ef13409308cf1e40aa10de8cd15e9aa236d08355c5d0
Instruction ID: 781477dac2f0d458d48224737c142718ad61f7235e68c1469ca9f187d36f8f2d
Opcode Fuzzy Hash: 20c0f66ecbd6c9932bc0ef13409308cf1e40aa10de8cd15e9aa236d08355c5d0
Instruction Fuzzy Hash: 75416D71A04204EFDB15DF54C884A9A7BAAEF45310F2580ADFD299F20AD7B0DE45CBA0

Function 006A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A3E35
IsMenu.USER32(?), ref: 006A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A3E92
DrawMenuBar.USER32 ref: 006A3EA5

Strings

0, xrefs: 006A3D89

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 30db0fc0cf179f8b5714372ff590ff97151c887d0a63ec778f359901fa064060
Instruction ID: 7d41efcf4d253b396e4a3dd8ee19e51520ddcc388dfe213bd3b3d4151f058ec6
Opcode Fuzzy Hash: 30db0fc0cf179f8b5714372ff590ff97151c887d0a63ec778f359901fa064060
Instruction Fuzzy Hash: 04414875A01219EFDB10EF50D884AEABBBAFF4A364F04412AF905AB351D730AE55CF50

Function 00671DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00671E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00671E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00671EA9

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

Strings

ComboBox, xrefs: 00671DF0
ListBox, xrefs: 00671E25

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 60046c55dce6f5e927cd32d3b4709a33d4dbb8fa94c7e796b82ae50ae3228246
Instruction ID: 3b6f33f0a0113b1502a19c529c3e33d430fc555ebc2041412f095aed69fcdf00
Opcode Fuzzy Hash: 60046c55dce6f5e927cd32d3b4709a33d4dbb8fa94c7e796b82ae50ae3228246
Instruction Fuzzy Hash: 32213B71A00104BEDB14AB68DC56CFFB7BBDF47360B14811EF85AA72E1DB344D469A60

Function 006A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006A2F8D
LoadLibraryW.KERNEL32(?), ref: 006A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006A2FA9
DestroyWindow.USER32(?), ref: 006A2FB1

Strings

SysAnimate32, xrefs: 006A2F68

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 594254003a8140d1df3ca43a4de0b6123821e29465feec3718910bf3be5c492f
Instruction ID: b3c6892353d8870519fe88ad60a9b5e6a956a1bdf968b21019dbc7edb24ead75
Opcode Fuzzy Hash: 594254003a8140d1df3ca43a4de0b6123821e29465feec3718910bf3be5c492f
Instruction Fuzzy Hash: F221D171280206AFEB106F68DC90EFB37BAEB5A364F101218F910D6290D731DC419B60

Function 00634D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00634D1E,006428E9,?,00634CBE,006428E9,006D88B8,0000000C,00634E15,006428E9,00000002), ref: 00634D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00634DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00634D1E,006428E9,?,00634CBE,006428E9,006D88B8,0000000C,00634E15,006428E9,00000002,00000000), ref: 00634DC3

Strings

mscoree.dll, xrefs: 00634D86
CorExitProcess, xrefs: 00634D98

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3de82d5f9d9e2d723c92a62af1b01c2c7bac86fa73c55e68ac81d454648c1026
Instruction ID: 6dc6381d217c2b0ba3ceacc04679c0d05d7518b0ff4b6981fff24db594fa7568
Opcode Fuzzy Hash: 3de82d5f9d9e2d723c92a62af1b01c2c7bac86fa73c55e68ac81d454648c1026
Instruction Fuzzy Hash: 55F03134A40208ABDB115B94DC49BDEBFE6EF44761F0001A4E805A2250CF716D40CFD0

Function 0066D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0066D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0066D3BF
FreeLibrary.KERNEL32(00000000), ref: 0066D3E5

Strings

X64, xrefs: 0066D2A8
GetSystemWow64DirectoryW, xrefs: 0066D3B9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c41c43750fe6afc462057b1c4c40df38645ec695ca62b9de982d1969079c6e93
Instruction ID: cf2cffe01555356d38b975e9d801f27ed00246020529c822d44d6911b4fe4c5b
Opcode Fuzzy Hash: c41c43750fe6afc462057b1c4c40df38645ec695ca62b9de982d1969079c6e93
Instruction Fuzzy Hash: E1F05570F06A309BD7702B118C28AA9362BAF02B02F548015F602F9344DB60CE418E92

Function 00614E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00614EDD,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00614EAE
FreeLibrary.KERNEL32(00000000,?,?,00614EDD,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00614EA8
kernel32.dll, xrefs: 00614E94

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0a219abdd2e45b236648a569920602cbd8ca515d3f4eaf52438d0c511f1f2dde
Instruction ID: 53174c1de4783c5afd294f45a22a779e067fe02ae310a1b5a47dee7ed0064e69
Opcode Fuzzy Hash: 0a219abdd2e45b236648a569920602cbd8ca515d3f4eaf52438d0c511f1f2dde
Instruction Fuzzy Hash: 4CE08635B016225BD33127256C18BDB6556AF83B727090115FC04D3300DF60DD4148A1

Function 00614E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00653CDE,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00614E74
FreeLibrary.KERNEL32(00000000,?,?,00653CDE,?,006E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00614E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00614E6E
kernel32.dll, xrefs: 00614E5B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 36b3e0d5cc09b6fd0841d871b204eb9bc0d141e213b6dd10069c1016c123caf1
Instruction ID: 55d31bf07b2ad2fed23d4de9d7a39987ff1b5d058fa44a3f980ec632b047a0b5
Opcode Fuzzy Hash: 36b3e0d5cc09b6fd0841d871b204eb9bc0d141e213b6dd10069c1016c123caf1
Instruction Fuzzy Hash: 3BD01235A0263257D7222B257C18DCB6A1BAF87B7130A0615F905A3314CF61DD4299E0

Function 00682947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00682C05
DeleteFileW.KERNEL32(?), ref: 00682C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00682C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00682CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00682CC0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3bbc5a1bfc7329b617a5b3335d3b7989a11ccdda757d3a8208e0c876e5c5e949
Instruction ID: b1182f25a322f3fb7e3c8759ac05018db134d16594edb73746a278117807ffde
Opcode Fuzzy Hash: 3bbc5a1bfc7329b617a5b3335d3b7989a11ccdda757d3a8208e0c876e5c5e949
Instruction Fuzzy Hash: 59B18071D00119ABDF51EFA4CC95EEEB7BEEF48310F0041AAF609E6141EB319A448FA5

Function 0069A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0069A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0069A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0069A468
CloseHandle.KERNEL32(?), ref: 0069A63D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d94fa61a3aa904651a133aad90e006d73aed7ff0049f01e2f88724948bc5cdf0
Instruction ID: 8c7db32c6116a520f718391612a50d9112d826883ac10037d371bcb37c377ec9
Opcode Fuzzy Hash: d94fa61a3aa904651a133aad90e006d73aed7ff0049f01e2f88724948bc5cdf0
Instruction Fuzzy Hash: 24A1C1716043009FEB20DF24D886F6AB7E6AF84714F14881CF95A9B792DB70EC41CB96

Function 0067E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0067DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0067CF22,?), ref: 0067DDFD

Part of subcall function 0067DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0067CF22,?), ref: 0067DE16

Part of subcall function 0067E199: GetFileAttributesW.KERNEL32(?,0067CF95), ref: 0067E19A

lstrcmpiW.KERNEL32(?,?), ref: 0067E473
MoveFileW.KERNEL32(?,?), ref: 0067E4AC
_wcslen.LIBCMT ref: 0067E5EB
_wcslen.LIBCMT ref: 0067E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0067E650

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 48b3cc25930c0bf95139a36c08ad856b51ee3cd4a0d55802854b22f81110a92b
Instruction ID: c1d3a0a98d0fc839451ecc086aaa7c0a83c47431536ab0688d68288d59244872
Opcode Fuzzy Hash: 48b3cc25930c0bf95139a36c08ad856b51ee3cd4a0d55802854b22f81110a92b
Instruction Fuzzy Hash: 0F51B8B24083449BC764EB90CC919DFB3EE9F89350F00491EF589D3151EF75A68C8BAA

Function 0069B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 0069C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069B6AE,?,?), ref: 0069C9B5
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069C9F1
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA68
Part of subcall function 0069C998: _wcslen.LIBCMT ref: 0069CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0069BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0069BB63
RegCloseKey.ADVAPI32(?,?), ref: 0069BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0069BBB3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 115d88b1d189f50641ddfdcec553e5fa961f72162eb80a80d2ee2dd606400c97
Instruction ID: 7fdebfa926380a40ce09ff622656db21b051585198b92f57f24755ab373456c9
Opcode Fuzzy Hash: 115d88b1d189f50641ddfdcec553e5fa961f72162eb80a80d2ee2dd606400c97
Instruction Fuzzy Hash: 0661C031208241AFC714DF14C590E6ABBEAFF84318F14995CF49A8B7A2DB31ED45CB92

Function 00678BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00678BCD
VariantClear.OLEAUT32 ref: 00678C3E
VariantClear.OLEAUT32 ref: 00678C9D
VariantClear.OLEAUT32(?), ref: 00678D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00678D3B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 85a4913ae50b8e429f163b6dc23c44625307ae3f41573a2d91e45aad7390ac24
Instruction ID: 38626028c3ccacefea0917a0563d5c6a881318682321faf1df58bcb92521d1ed
Opcode Fuzzy Hash: 85a4913ae50b8e429f163b6dc23c44625307ae3f41573a2d91e45aad7390ac24
Instruction Fuzzy Hash: 4B5159B5A00619EFCB14DF68C894AAAB7F9FF8D310B158559E909DB350E730E911CF90

Function 00688AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00688BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00688BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00688C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00688C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00688C5F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 62195b13b5591ec26be21d9d21d7ffba026d9bbb467b6efcc921923a7ca7ef3c
Instruction ID: bc56d5ce6c2e17b6b695e2928cb42555be0de6dccafc23ee5bdcceb676cfc587
Opcode Fuzzy Hash: 62195b13b5591ec26be21d9d21d7ffba026d9bbb467b6efcc921923a7ca7ef3c
Instruction Fuzzy Hash: A9513C35A00215AFCB15EF64C881AADBBF6FF49314F088458E849AB362DB35ED51CF94

Function 00698EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00698F40
GetProcAddress.KERNEL32(00000000,?), ref: 00698FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00698FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00699032
FreeLibrary.KERNEL32(00000000), ref: 00699052

Part of subcall function 0062F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00681043,?,753CE610), ref: 0062F6E6
Part of subcall function 0062F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0066FA64,00000000,00000000,?,?,00681043,?,753CE610,?,0066FA64), ref: 0062F70D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7d5c26f8dd5b3d7f4ad8c9a8c0ddbcc63b026f3ca0d472fc95c8dd8f4d6df59e
Instruction ID: b67568d7859708dbf3477bf7808dc93a147a47a851869cd254535e403a9d431a
Opcode Fuzzy Hash: 7d5c26f8dd5b3d7f4ad8c9a8c0ddbcc63b026f3ca0d472fc95c8dd8f4d6df59e
Instruction Fuzzy Hash: 52511835600205DFCB55DF58C4948E9BBF6FF49324B0890A8E8169B762DB31ED86CF90

Function 006A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 006A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 006A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0068AB79,00000000,00000000), ref: 006A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006A6CC7

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 9ec7a856e601c144243670ef6d41df8369980eaf912a5c9a6316a749a873bb4a
Instruction ID: 75ed8c28c442ac83a0cac09de61e78941917c15be376b474345d56fb491581d5
Opcode Fuzzy Hash: 9ec7a856e601c144243670ef6d41df8369980eaf912a5c9a6316a749a873bb4a
Instruction Fuzzy Hash: A441A035A04104AFD724EF28CC58BE97BA6EB0B360F190268F896A73A1C771AD51DE50

Function 00642051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006420C3
_free.LIBCMT ref: 006420E3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6ae9419682dc7f702862658e1ecb89a72143eaf8a4261ae0a66719b93ce4bd06
Instruction ID: d8b5743c4e94a29d638bfb773fe3d15a5c1ebdf14a973bb9852a2440c4a851b2
Opcode Fuzzy Hash: 6ae9419682dc7f702862658e1ecb89a72143eaf8a4261ae0a66719b93ce4bd06
Instruction Fuzzy Hash: 3341E632A002059FCB20DF78C890A9EB7F6EF88714F654569F615EB355D631AD01CB80

Function 0062912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00629141
ScreenToClient.USER32(00000000,?), ref: 0062915E
GetAsyncKeyState.USER32(00000001), ref: 00629183
GetAsyncKeyState.USER32(00000002), ref: 0062919D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4f50b3777f4688994e77a1320301ce758344440a36650b8fa0733ac832a65367
Instruction ID: a2bed16adc3d9d30cf60c2d9ea2fca70f64f650c70d008b6e04e09a529c7372a
Opcode Fuzzy Hash: 4f50b3777f4688994e77a1320301ce758344440a36650b8fa0733ac832a65367
Instruction Fuzzy Hash: 41417F7190861AABDF059F69D848BEEB776FB46324F24421AE425A62D0C7306D60CFA1

Function 00683874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00683922
TranslateMessage.USER32(?), ref: 0068394B
DispatchMessageW.USER32(?), ref: 00683955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00683966

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 2430c5a3a358638a4a5a3904edb2fdc18dc35a7c26c11bc5c6440cb91fdfde5e
Instruction ID: ebee0b1b706d76ec702b4773b1358d2d1d817233b9ffc4eebe4e5c7187219b30
Opcode Fuzzy Hash: 2430c5a3a358638a4a5a3904edb2fdc18dc35a7c26c11bc5c6440cb91fdfde5e
Instruction Fuzzy Hash: A431EB709043A59EEF35EB34D848BF637ABAB06700F04166DE4668A390F7F4A685DB11

Function 0068CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0068C21E,00000000), ref: 0068CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0068CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0068C21E,00000000), ref: 0068CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0068C21E,00000000), ref: 0068CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0068C21E,00000000), ref: 0068CFF2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5652eaff4e1db7944a35efee4be739de407f9bdd020c57a87793fb66925298fc
Instruction ID: 91db7f3070c28748066d63902f83eefd8d2085e0f3e2461f8a49138f7314f858
Opcode Fuzzy Hash: 5652eaff4e1db7944a35efee4be739de407f9bdd020c57a87793fb66925298fc
Instruction Fuzzy Hash: 1D314F71504605AFEB20EFA5D884AABBBFBEF15364B10452EF606D2241DB30EE41DF60

Function 00671901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00671915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006719E2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2aab470c82f46bb4ec1c240b11061d527afbc4c2798b3635ff06bd938e16404c
Instruction ID: 9687b1cfe5f8ff782120f9e2d4842371b2ec2b9490866b6932937ace6fe0d080
Opcode Fuzzy Hash: 2aab470c82f46bb4ec1c240b11061d527afbc4c2798b3635ff06bd938e16404c
Instruction Fuzzy Hash: B031A471900219EFCB10CF6CC959ADE3BB6EB46315F109216FA25AB2D1C770A945DB90

Function 006A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 006A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 006A579D
_wcslen.LIBCMT ref: 006A57AF
_wcslen.LIBCMT ref: 006A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A5816

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 79321a6f77c2f71598ca824407593ea4233ede0bad9356e606a3a5d74b43e33c
Instruction ID: 9d3b8c92d5f85dc6fee73344a728c506f331136dfbf42c5c48d19e9ba1f09d33
Opcode Fuzzy Hash: 79321a6f77c2f71598ca824407593ea4233ede0bad9356e606a3a5d74b43e33c
Instruction Fuzzy Hash: 6C215571904618DADB20EF64DC85AEE77BAFF06724F104216F92AEA280D770DD85CF90

Function 00690930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00690951
GetForegroundWindow.USER32 ref: 00690968
GetDC.USER32(00000000), ref: 006909A4
GetPixel.GDI32(00000000,?,00000003), ref: 006909B0
ReleaseDC.USER32(00000000,00000003), ref: 006909E8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 946caffaafd73256a062ab0fa848c7c2a29c1eb8b9cb1f104e73f2eb1c06d368
Instruction ID: e2e45fb5039b18af0f83e3c4d631f1eebdc53f2044041c0ca71ab781ff576bcd
Opcode Fuzzy Hash: 946caffaafd73256a062ab0fa848c7c2a29c1eb8b9cb1f104e73f2eb1c06d368
Instruction Fuzzy Hash: 8F218135600204AFD744EF65C988AAEBBEAEF45710F04946CE84AA7762DB30AC44CF90

Function 0064CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0064CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064CDE9

Part of subcall function 00643820: RtlAllocateHeap.NTDLL(00000000,?,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6,?,00611129), ref: 00643852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0064CE0F
_free.LIBCMT ref: 0064CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0064CE31

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8c486e69f6c23d4552f8166648a53c0403e3ec1f0da5f517d70f43b8faa3e8d0
Instruction ID: d98c0ab8f9bccc47289d9873b87c14da9a8c17da8d41c0dc7cdb358c4e3a90f0
Opcode Fuzzy Hash: 8c486e69f6c23d4552f8166648a53c0403e3ec1f0da5f517d70f43b8faa3e8d0
Instruction Fuzzy Hash: 6801D4726032167FA76126BA6C88CBB6D6FDEC7BB1315012DF905C7300EF618D0295B0

Function 00629639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00629693
SelectObject.GDI32(?,00000000), ref: 006296A2
BeginPath.GDI32(?), ref: 006296B9
SelectObject.GDI32(?,00000000), ref: 006296E2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 057ad26a72ae4d466e4bd4c0ad6d813799424348dfce74a32c99780f91c68c4f
Instruction ID: 716c9302ef333e2ef641ede62a4878053e89cb59f6391557573fcb20d3d3d02d
Opcode Fuzzy Hash: 057ad26a72ae4d466e4bd4c0ad6d813799424348dfce74a32c99780f91c68c4f
Instruction Fuzzy Hash: FB218030812755EBEB119F24EC58BE93BABBB82365F101216F410AE2F2D3745891DFA4

Function 00675711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00675726
_memcmp.LIBVCRUNTIME ref: 00675744
_memcmp.LIBVCRUNTIME ref: 00675757
_memcmp.LIBVCRUNTIME ref: 0067576F
_memcmp.LIBVCRUNTIME ref: 00675787

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 82c9ef92cf060a8a2b1b3a4bfe3c3066a119258a8ecd0a0e0398ec2580bf4ec8
Instruction ID: 7e28df588a9ee63c5d85e1e6c5cc794bd4a325210badae2ae9a7ae20090fb5b0
Opcode Fuzzy Hash: 82c9ef92cf060a8a2b1b3a4bfe3c3066a119258a8ecd0a0e0398ec2580bf4ec8
Instruction Fuzzy Hash: 1901B5A1641609BBE20C66219D92FFB735F9B223A4F008064FD0E9E241FBA1ED1186F5

Function 00642DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0063F2DE,00643863,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6), ref: 00642DFD
_free.LIBCMT ref: 00642E32
_free.LIBCMT ref: 00642E59
SetLastError.KERNEL32(00000000,00611129), ref: 00642E66
SetLastError.KERNEL32(00000000,00611129), ref: 00642E6F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f5533dcd3506521933d483cff90c0a4019fc2bcadb1374c3180eb409973c6dac
Instruction ID: 5e374ca7d3e9d3e4f848fe783e9bf489f98a3f2671a6c6af18ead000ec514145
Opcode Fuzzy Hash: f5533dcd3506521933d483cff90c0a4019fc2bcadb1374c3180eb409973c6dac
Instruction Fuzzy Hash: 2E01F43260560367DB1277356CA6D6B266BABD27B5BF5102DF521E2392EE70CC019120

Function 0067000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?,?,0067035E), ref: 0067002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?), ref: 00670046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?), ref: 00670054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?), ref: 00670064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0066FF41,80070057,?,?), ref: 00670070

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2e560c128285fd2ed07481425432005a08df5443e8386b732bc85e45782459a9
Instruction ID: eb0ffec7d13c10f32450e1ffc7aca48cb9a31f8ac4a2c4de6031eafc8b84d2b5
Opcode Fuzzy Hash: 2e560c128285fd2ed07481425432005a08df5443e8386b732bc85e45782459a9
Instruction Fuzzy Hash: B8018B72600204FFEB105F68DC04BAA7EEFEB447B2F149124F909D2210EB75ED409BA0

Function 0067E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0067E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0067E9A5
Sleep.KERNEL32(00000000), ref: 0067E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0067E9B7
Sleep.KERNEL32 ref: 0067E9F3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: db7f2c2ce61aa6c5db940e79bcc63b2c9f19a1063ecefabb66cde1b54d4b455f
Instruction ID: 3c78cc1b07d9449687cef91b67c62bb7cfa504916b241a8738745ab7adf792a5
Opcode Fuzzy Hash: db7f2c2ce61aa6c5db940e79bcc63b2c9f19a1063ecefabb66cde1b54d4b455f
Instruction Fuzzy Hash: 8B015B32D01529DBCF00ABE4D859AEDBB7ABF0E311F004586E606B2241CB359659CFA1

Function 006710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00671114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 0067112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00670B9B,?,?,?), ref: 00671136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067114D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 57dee6989e9028f5ff10354c264a3ac9dca85b7173d79ad319c8b8b26e2adfe8
Instruction ID: dd3dc34f4d65b38d5d6b95b00a210cbed59d103953147b724bbf120889fa15b3
Opcode Fuzzy Hash: 57dee6989e9028f5ff10354c264a3ac9dca85b7173d79ad319c8b8b26e2adfe8
Instruction Fuzzy Hash: E3011975200205BFDB115FA9DC49AAA3B6FEF8A3A0B604419FA45DB360DA31ED409E60

Function 00670FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00670FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00670FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00670FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00670FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00671002

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5f81ed8f4212fe6d5401902405e5c8d964db62403a392e79f5ddbcea153b8558
Instruction ID: 0acc790edc1a957f75a23d74f9fd683fc29f6e6fd88c0e922fc6e16d3a6b49ce
Opcode Fuzzy Hash: 5f81ed8f4212fe6d5401902405e5c8d964db62403a392e79f5ddbcea153b8558
Instruction Fuzzy Hash: 69F04935200301ABDB216FA8DC49F963BAEEF8A762F104415FA49CA251DE71EC908E60

Function 00671014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0067102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00671036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00671045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0067104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00671062

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 808318c57d987ba53d7f9711005c9a43c92f470f4baca352c014b075c0ea442b
Instruction ID: 686791c2b27911818d3c5e43ed1dc9abf1cdfe298045112ff6c596807a76d4ad
Opcode Fuzzy Hash: 808318c57d987ba53d7f9711005c9a43c92f470f4baca352c014b075c0ea442b
Instruction Fuzzy Hash: 63F04F35200305ABDB216FA8EC49F963B6EEF8A761F104415F949CA250DE71EC908E60

Function 0068030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 00680324
CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 00680331
CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 0068033E
CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 0068034B
CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 00680358
CloseHandle.KERNEL32(?,?,?,?,0068017D,?,006832FC,?,00000001,00652592,?), ref: 00680365

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fa80d066187fff23caffab23e5d14398fd71ac892544d8b0d5eb53dd0d249b84
Instruction ID: 82d09c8ea98fe90c3bcbd8f1ec0fff857ba807a85eb365dd974878e70fe45ab5
Opcode Fuzzy Hash: fa80d066187fff23caffab23e5d14398fd71ac892544d8b0d5eb53dd0d249b84
Instruction Fuzzy Hash: B8019C76801B169FDB30AF66D880852FBFABE602153158E3ED19652A31C7B1A958DF80

Function 0064D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0064D752

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

_free.LIBCMT ref: 0064D764
_free.LIBCMT ref: 0064D776
_free.LIBCMT ref: 0064D788
_free.LIBCMT ref: 0064D79A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b3169aa40c924d7431ffd3a463cac05524946f412fe96a2a8d4166d254c1585
Instruction ID: 6376b47f88add9570488ac2969296801534819419f99f19d003d482cead826fb
Opcode Fuzzy Hash: 9b3169aa40c924d7431ffd3a463cac05524946f412fe96a2a8d4166d254c1585
Instruction Fuzzy Hash: C0F01232D4520AABD761EB66F9D5C5A7BDFBB447207E41C0AF048D7601C730FC808664

Function 00675C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00675C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00675C6F
MessageBeep.USER32(00000000), ref: 00675C87
KillTimer.USER32(?,0000040A), ref: 00675CA3
EndDialog.USER32(?,00000001), ref: 00675CBD

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0ca84eeef20255119c415c9da026e4519699c4ca4874f0c4855b30ef1e09f245
Instruction ID: e891114d7c0240ee9d9c5996e6bfbba24d5fb1b2fa45d36d90129bb4e3984cee
Opcode Fuzzy Hash: 0ca84eeef20255119c415c9da026e4519699c4ca4874f0c4855b30ef1e09f245
Instruction Fuzzy Hash: 2A018130500B04ABEB21AB14DD4EFE677BABB01B05F04669DB587A10E1DBF0B9858E91

Function 006422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006422BE

Part of subcall function 006429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000), ref: 006429DE
Part of subcall function 006429C8: GetLastError.KERNEL32(00000000,?,0064D7D1,00000000,00000000,00000000,00000000,?,0064D7F8,00000000,00000007,00000000,?,0064DBF5,00000000,00000000), ref: 006429F0

_free.LIBCMT ref: 006422D0
_free.LIBCMT ref: 006422E3
_free.LIBCMT ref: 006422F4
_free.LIBCMT ref: 00642305

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ec7abe5a19e968f9257538c59bc8b95eb8d9382c7265596f3102011621567420
Instruction ID: 6d08ace4a7c64d4d2a5883b20b812b059176625e92a7b7e0450a941127c4c899
Opcode Fuzzy Hash: ec7abe5a19e968f9257538c59bc8b95eb8d9382c7265596f3102011621567420
Instruction Fuzzy Hash: 94F01D708012929BDB52AF66AC918493F67F719B707A0250BF410DF271C7715692AAA8

Function 006295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006295D4
StrokeAndFillPath.GDI32(?,?,006671F7,00000000,?,?,?), ref: 006295F0
SelectObject.GDI32(?,00000000), ref: 00629603
DeleteObject.GDI32 ref: 00629616
StrokePath.GDI32(?), ref: 00629631

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a1f788e3ee695b89458119c4781a21b2f12993a1f912d0c43da83908ac59dca2
Instruction ID: 190f4a9a3eefa219ce916803daf82c1e12bf6419344e98f005625a820c0b7a9b
Opcode Fuzzy Hash: a1f788e3ee695b89458119c4781a21b2f12993a1f912d0c43da83908ac59dca2
Instruction Fuzzy Hash: F7F01930015748EBDB126F65ED587A43BA3AB43336F04A214F4255D1F2CB359991EF60

Function 00640F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 006410F9
__freea.LIBCMT ref: 00641117

Part of subcall function 00641537: _free.LIBCMT ref: 0064154F

Strings

a/p, xrefs: 006411DE
am/pm, xrefs: 0064117A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 81ef0953e6967a898708829cd7e3429558b2bbd0792f741f848441d4938ad31d
Instruction ID: 66d9da8840c5bae10e31af42880f982309f5766b56df0657ff0b18eb01a6a83f
Opcode Fuzzy Hash: 81ef0953e6967a898708829cd7e3429558b2bbd0792f741f848441d4938ad31d
Instruction Fuzzy Hash: 21D1F231910206DADB299F68C855BFABBB3EF07700F28411AE9119FB50D7759EC1CB91

Function 006961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00630242: EnterCriticalSection.KERNEL32(006E070C,006E1884,?,?,0062198B,006E2518,?,?,?,006112F9,00000000), ref: 0063024D
Part of subcall function 00630242: LeaveCriticalSection.KERNEL32(006E070C,?,0062198B,006E2518,?,?,?,006112F9,00000000), ref: 0063028A

Part of subcall function 006300A3: __onexit.LIBCMT ref: 006300A9

__Init_thread_footer.LIBCMT ref: 00696238

Part of subcall function 006301F8: EnterCriticalSection.KERNEL32(006E070C,?,?,00628747,006E2514), ref: 00630202
Part of subcall function 006301F8: LeaveCriticalSection.KERNEL32(006E070C,?,00628747,006E2514), ref: 00630235

Part of subcall function 0068359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006835E4
Part of subcall function 0068359C: LoadStringW.USER32(006E2390,?,00000FFF,?), ref: 0068360A

Strings

x#n, xrefs: 00696353
x#n, xrefs: 0069636F
x#n, xrefs: 0069633A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#n$x#n$x#n
API String ID: 1072379062-2067633748
Opcode ID: a58b6365b7210d53090c85e803e722ac2544a71ba84a6362d20a10bf2d56f720
Instruction ID: 7cbb8ed01ae8234fabd254d297caea7a3d886d1a77fe8bb5e8bdb62ad8fe6386
Opcode Fuzzy Hash: a58b6365b7210d53090c85e803e722ac2544a71ba84a6362d20a10bf2d56f720
Instruction Fuzzy Hash: C8C15A71A00209AFCF14DF98C891EFEB7BAEF48310F158069F9559B291DB70EA45CB90

Function 00645AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOa, xrefs: 00645BA8, 00645C6C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: JOa
API String ID: 0-3474510592
Opcode ID: 6adc1f3c2f8e6a93e6972b2e51c0884056ec2acc09c79af2ce9df61b992f2b82
Instruction ID: a7741af44836741ee61ba74c523521fac310d07d77c71f56c7ec087006359575
Opcode Fuzzy Hash: 6adc1f3c2f8e6a93e6972b2e51c0884056ec2acc09c79af2ce9df61b992f2b82
Instruction Fuzzy Hash: DE519071D00609DFDB119FA5C985FEEBBBAEF05310F14005DF406AB293D6719A42CB65

Function 00648A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00648B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00648B7A
__dosmaperr.LIBCMT ref: 00648B81

Strings

.c, xrefs: 00648A63

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .c
API String ID: 2434981716-2099080748
Opcode ID: bdf942e0afe98b45893b088a6825af91d3cbca1f1716219b2b18529085c75120
Instruction ID: 9de1a0127ca79aee5109bc6f284575823f14233acba8a1cd6ef4b402cf3f6a09
Opcode Fuzzy Hash: bdf942e0afe98b45893b088a6825af91d3cbca1f1716219b2b18529085c75120
Instruction Fuzzy Hash: B6416AB0A04145AFDB259F64CC80ABD7FE7DF86314F2881AAF8858B242DE718D539794

Function 00672716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006721D0,?,?,00000034,00000800,?,00000034), ref: 0067B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00672760

Part of subcall function 0067B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0067B3F8

Part of subcall function 0067B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0067B355
Part of subcall function 0067B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00672194,00000034,?,?,00001004,00000000,00000000), ref: 0067B365
Part of subcall function 0067B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00672194,00000034,?,?,00001004,00000000,00000000), ref: 0067B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0067281A

Strings

@, xrefs: 00672832

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d8b082103dae057823b5b3661f950f7394986da1be2b9af5c85354338511e3fb
Instruction ID: 437ecc98fea6534c1e62a98de5fcbea45b45c64bbe3cd06052fd0ed05d04106a
Opcode Fuzzy Hash: d8b082103dae057823b5b3661f950f7394986da1be2b9af5c85354338511e3fb
Instruction Fuzzy Hash: 97414F72900218AFDB10DFA4CD51BDEBBB9EF05310F009199FA59B7181DB716E85CBA1

Function 0064172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00641769
_free.LIBCMT ref: 00641834
_free.LIBCMT ref: 0064183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00641760, 00641767, 00641796, 006417CE

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: e6623b1ff369d621db0467496b16f080a485ca04c4358dd38878ed58ba79c36e
Instruction ID: 9044afcc0cf079c97ab23ef820b0c5e545c8a63f9e65a06838965aca15042b0c
Opcode Fuzzy Hash: e6623b1ff369d621db0467496b16f080a485ca04c4358dd38878ed58ba79c36e
Instruction Fuzzy Hash: 93318C71A00258AFDB21DB999C81D9EBBFEEF86310F24416AF9049F211D6708E80CB90

Function 0067C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0067C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0067C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E1990,00CD57E0), ref: 0067C395

Strings

0, xrefs: 0067C2DF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7690c021ebeb96ebbe606bda3b52d0852c9b67f29c5adb98b311dda957849c80
Instruction ID: fb16d1b3930f1394affe2bb3128623a1c70bca62d83278a388d174252cd9a7e4
Opcode Fuzzy Hash: 7690c021ebeb96ebbe606bda3b52d0852c9b67f29c5adb98b311dda957849c80
Instruction Fuzzy Hash: 75418D712043019FD720DF25D885BAABBEAAF85330F14CA1DF9A9973D1D730A904CB66

Function 006A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006ACC08,00000000,?,?,?,?), ref: 006A44AA
GetWindowLongW.USER32 ref: 006A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A44D7

Strings

SysTreeView32, xrefs: 006A447C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 99c17996aa3d3fc29f5227127713107204d18c191721348ab55b7df24d9c1152
Instruction ID: 4c3d2ef0dee7f6e8761d10c2e5f9abfa4bcee42ddb19a48451f03c5107794f91
Opcode Fuzzy Hash: 99c17996aa3d3fc29f5227127713107204d18c191721348ab55b7df24d9c1152
Instruction Fuzzy Hash: 3631B031200605AFDB20AF78DC45BDA77AAEB8A334F204729F975922D0DBB0EC509B50

Function 00676E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00676EED
VariantCopyInd.OLEAUT32(?,?), ref: 00676F08
VariantClear.OLEAUT32(?), ref: 00676F12

Strings

*jg, xrefs: 00676E8B, 00676E90, 00676EF8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jg
API String ID: 2173805711-2254401010
Opcode ID: 322159b11936b8387303a26c9042074e2e055617bd109c2c108d265897d500fb
Instruction ID: 73b59ca92b9883976476f0c624e5995364d0dd1c98dd1eba222ff46ae1cfc6f2
Opcode Fuzzy Hash: 322159b11936b8387303a26c9042074e2e055617bd109c2c108d265897d500fb
Instruction Fuzzy Hash: B8318F71604A46DFCB05AFA5E8519BD77B7EF85300B108498F9064B3B1CB389D52DBD8

Function 0069304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0069335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00693077,?,?), ref: 00693378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0069307A
_wcslen.LIBCMT ref: 0069309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00693106

Strings

255.255.255.255, xrefs: 00693095, 0069309A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 562282386f637bb07403b4ff6029718ec59e8fee7079ed2dda0bad4c499f807a
Instruction ID: f6974057a757dd149745fb85275bfec0dc35cb5a7ab61322db8ca1fcf4efe3c6
Opcode Fuzzy Hash: 562282386f637bb07403b4ff6029718ec59e8fee7079ed2dda0bad4c499f807a
Instruction Fuzzy Hash: 4A31E7356002119FCF20CF68C585EAA7BF6EF15318F248059E9158BBA2DB31EE45C770

Function 006A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A3F78

Strings

SysMonthCal32, xrefs: 006A3F0B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f6e549bd3723a3cbd6e9c8289b777debce1a6ff81401d29d6d7b6535cabd03df
Instruction ID: 518e70cfac5344b611606ee0ba86feb0ced34c6b101f753cb39db96318cfc7ac
Opcode Fuzzy Hash: f6e549bd3723a3cbd6e9c8289b777debce1a6ff81401d29d6d7b6535cabd03df
Instruction Fuzzy Hash: D921BF32610229BFDF219F90CC46FEA3B76EF4A724F111215FA156B2D0D6B1AD508B90

Function 006A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006A471A

Strings

msctls_updown32, xrefs: 006A4684

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f24485393367e70af0a3579c413f6ceabe5a7cebc2bc214cf6c24b7cfce03c77
Instruction ID: 9246c7f81161a5842b7cb44fd346731542029a241e5bd990f719810b73ab1d00
Opcode Fuzzy Hash: f24485393367e70af0a3579c413f6ceabe5a7cebc2bc214cf6c24b7cfce03c77
Instruction Fuzzy Hash: CA214FB5600245AFDB10EF68DCD1DA737AEEB8B3A4B041059F9009B361DB70EC51DA60

Function 006795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0067961D

Strings

#OnAutoItStartRegister, xrefs: 006795F3
#notrayicon, xrefs: 006795B7
#requireadmin, xrefs: 006795D9

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e7354257e4b6724080e1d325742d6483f2bfb279a09b57c39326be5d0a3118ea
Instruction ID: 0b6654bf4a8e68a1fe8a9873ff465bf429f7de940ce51b9fde7cb4b9bec0cb3f
Opcode Fuzzy Hash: e7354257e4b6724080e1d325742d6483f2bfb279a09b57c39326be5d0a3118ea
Instruction Fuzzy Hash: 66212B7210462166E331BB259C02FF773EB9F55314F14852AF94D97282EB51AD82C2F9

Function 006A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006A3876

Strings

Listbox, xrefs: 006A380F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f136ab22d7c4c116629f05bbfd9c26f12b858e81d4965c366518f35c3a7a11b5
Instruction ID: 12f7921a88055092c18bdd69ca2d22249b7df8c9a622c93da593197018628dd8
Opcode Fuzzy Hash: f136ab22d7c4c116629f05bbfd9c26f12b858e81d4965c366518f35c3a7a11b5
Instruction Fuzzy Hash: 0D2183726102287BEB11AF54CC45EEB376BEF8A750F118115F9059B290C675DC518B90

Function 006849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00684A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00684A5C
SetErrorMode.KERNEL32(00000000,?,?,006ACC08), ref: 00684AD0

Strings

%lu, xrefs: 00684A6F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 74a44271bad94faad008cc1028ad4dbee7702ac991645ae2c0ea252afcfe94e4
Instruction ID: 65fa322eae3d8a7fac1ac37954d250590510a3027dcbb350c5622c5fdd8efac1
Opcode Fuzzy Hash: 74a44271bad94faad008cc1028ad4dbee7702ac991645ae2c0ea252afcfe94e4
Instruction Fuzzy Hash: 67317F70A00109AFD750EF54C881EAA7BFAEF09314F1480A9E809DB352DB71EE45CB61

Function 006A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006A4271

Strings

msctls_trackbar32, xrefs: 006A4226

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2fedeac6b0ba6ed08800513189251c6cd36aa3a7edb51d0ac2e83f1342bc7e0a
Instruction ID: 61408af14fcab8cae53000296ad3c92d6c128724746ea295d9181164d1349c7f
Opcode Fuzzy Hash: 2fedeac6b0ba6ed08800513189251c6cd36aa3a7edb51d0ac2e83f1342bc7e0a
Instruction Fuzzy Hash: 8211E331240248BEEF206F28CC46FEB3BAEEF86B64F010124FA55E6190D6B1DC519B50

Function 00672F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

Part of subcall function 00672DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00672DC5
Part of subcall function 00672DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00672DD6
Part of subcall function 00672DA7: GetCurrentThreadId.KERNEL32 ref: 00672DDD
Part of subcall function 00672DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00672DE4

GetFocus.USER32 ref: 00672F78

Part of subcall function 00672DEE: GetParent.USER32(00000000), ref: 00672DF9

GetClassNameW.USER32(?,?,00000100), ref: 00672FC3
EnumChildWindows.USER32(?,0067303B), ref: 00672FEB

Strings

%s%d, xrefs: 00672FFF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: db212f1b4d730b1920fceb4193dc36a415932a2832be7b6e747ff2cff2af02b4
Instruction ID: 4615e6c82eb77c80557d1b5f661c0460b9bc6f791a53b3a6486a07d64e00f458
Opcode Fuzzy Hash: db212f1b4d730b1920fceb4193dc36a415932a2832be7b6e747ff2cff2af02b4
Instruction Fuzzy Hash: FE11E1756002156BCF90BF70CC95EEE37ABAF85314F049079F90D9B292DE309A499B60

Function 006A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006A58EE
DrawMenuBar.USER32(?), ref: 006A58FD

Strings

0, xrefs: 006A588F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f6db3db084c9a5709a138b61fd791cde97dc5e1dc46062191ca8604cfae56084
Instruction ID: 4050771e90f7a432967a445b4492a7865bbf5a728f99bca99ba2f6b4f023834c
Opcode Fuzzy Hash: f6db3db084c9a5709a138b61fd791cde97dc5e1dc46062191ca8604cfae56084
Instruction Fuzzy Hash: D2015E31500258EEDB51AF11EC44BAFBBB6FF46360F1080A9F849DA251DB309E94DF21

Function 0067007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5263298e2c0ff58b1baed31de68d25f1c734885de537b91f4a741b7ee140083
Instruction ID: 62493631b549a0f2895c274d05dcf28745d1ea5298a3ca1723b480e5147f24ef
Opcode Fuzzy Hash: a5263298e2c0ff58b1baed31de68d25f1c734885de537b91f4a741b7ee140083
Instruction Fuzzy Hash: 40C14F75A00216EFDB14CFA4C894EAEB7B6FF48714F208598E519EB251D731EE41CBA0

Function 0069342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00693459
CoUninitialize.OLE32 ref: 00693463
VariantInit.OLEAUT32(?), ref: 0069346E
VariantClear.OLEAUT32(?), ref: 0069371B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 74bde150e707dc64f3f34d9628fe18e6e1b63d9322de16a9570ed3b49c132cac
Instruction ID: 50fea8db6b70f4c79e6d64a531c7a72afbc1cf0abc6c794942a74b4d0fc043d7
Opcode Fuzzy Hash: 74bde150e707dc64f3f34d9628fe18e6e1b63d9322de16a9570ed3b49c132cac
Instruction Fuzzy Hash: 54A139752046109FCB50DF24C485A6AB7FAFF88724F09885DF98A9B362DB30ED41CB55

Function 00670436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006AFC08,?), ref: 006705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006AFC08,?), ref: 00670608
CLSIDFromProgID.OLE32(?,?,00000000,006ACC40,000000FF,?,00000000,00000800,00000000,?,006AFC08,?), ref: 0067062D
_memcmp.LIBVCRUNTIME ref: 0067064E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 20b2d1ba349df5392d9388a73d59e063ab8bc0d17cde36af4c229b290f82387a
Instruction ID: 6a8c468c3f864e9f9da47c8a6e660cf19288a3903697e530747eba01124c2a21
Opcode Fuzzy Hash: 20b2d1ba349df5392d9388a73d59e063ab8bc0d17cde36af4c229b290f82387a
Instruction Fuzzy Hash: B1811B71A00109EFDB04DF94C994EEEB7BAFF89315F208558E506AB250DB71AE46CF60

Function 0069A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0069A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0069A6BA

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Process32NextW.KERNEL32(00000000,?), ref: 0069A79C
CloseHandle.KERNEL32(00000000), ref: 0069A7AB

Part of subcall function 0062CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00653303,?), ref: 0062CE8A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 112bd3893d1a26a9624a281db5145b9cc1adbb11d2c134ca598d40ad76366d44
Instruction ID: 5ca5aa3dafb5f1a85efe80f1163c522dc967a2357b5feb0628cf1560dccacb53
Opcode Fuzzy Hash: 112bd3893d1a26a9624a281db5145b9cc1adbb11d2c134ca598d40ad76366d44
Instruction Fuzzy Hash: CB518E71508300AFD750EF24C886AABBBF9FF89754F04891DF58597251EB30E944CBA6

Function 00651391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006514C0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b2615f3b2010158a6900fc3132c956f7bb1e6bc509cecd128dcdaed7d98cd0f7
Instruction ID: 6475cdad7b2d50f22b371378ebd5258f67ea463e23d337540863307cdd9934d3
Opcode Fuzzy Hash: b2615f3b2010158a6900fc3132c956f7bb1e6bc509cecd128dcdaed7d98cd0f7
Instruction Fuzzy Hash: 0C412931A00100ABDB216FF99C45BEE3AE7EF43371F140229FC29DA292E674894953A5

Function 006A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006A62E2
ScreenToClient.USER32(?,?), ref: 006A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006A6382

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8005aa45a0e0d76d24d0f5b381f720de875f2c0a9641e62edb81a447873f9b72
Instruction ID: c50f92f8d9775aaecd9722d227dcf391c874fc3d2717c0559e98f323b39d1301
Opcode Fuzzy Hash: 8005aa45a0e0d76d24d0f5b381f720de875f2c0a9641e62edb81a447873f9b72
Instruction Fuzzy Hash: 1E51F974A00249EFDF10EF64D880AEE7BB6EF56360F149159F9159B291D730AD82CF50

Function 00691AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00691AFD
WSAGetLastError.WSOCK32 ref: 00691B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00691B8A
WSAGetLastError.WSOCK32 ref: 00691B94

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7208b5954383396f6daf73a89e0cd4afa629a2b7a814741476204634f5f9787b
Instruction ID: f7db7094d37315f4de77193638a433825bbaacfed2bb19facdc736ad8978defc
Opcode Fuzzy Hash: 7208b5954383396f6daf73a89e0cd4afa629a2b7a814741476204634f5f9787b
Instruction Fuzzy Hash: 37419134640201AFEB60AF24C886F6977E7AB45718F54C44CF9159F7D2D672ED828B90

Function 0064B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99aec5753efe5f25be2d21131c1a534951dead5db0ae8d3874ef935115cbb67b
Instruction ID: 2694c3ba81038119e800c3d80245e9137347929cd1f99ceb57ead61f74ba5a27
Opcode Fuzzy Hash: 99aec5753efe5f25be2d21131c1a534951dead5db0ae8d3874ef935115cbb67b
Instruction Fuzzy Hash: F141F375A00304AFD724AF78CC42BAABBEAEF88720F10952EF555DB682D771D9018784

Function 006856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00685783
GetLastError.KERNEL32(?,00000000), ref: 006857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006857FA

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ec957a52686971849bf963f387c15fb416f10d0826122e29675c7ebcf0813ca8
Instruction ID: 05b5adf18ca44406a1f2d9b19633a7ee44796ea9048c57d4d12ed863aaf3333f
Opcode Fuzzy Hash: ec957a52686971849bf963f387c15fb416f10d0826122e29675c7ebcf0813ca8
Instruction Fuzzy Hash: 4C412839600610DFCB11EF15C444A9EBBF3AF89320B18C488E84AAB362CB31FD41CB95

Function 0064D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00636D71,00000000,00000000,006382D9,?,006382D9,?,00000001,00636D71,?,00000001,006382D9,006382D9), ref: 0064D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0064D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0064D9AB
__freea.LIBCMT ref: 0064D9B4

Part of subcall function 00643820: RtlAllocateHeap.NTDLL(00000000,?,006E1444,?,0062FDF5,?,?,0061A976,00000010,006E1440,006113FC,?,006113C6,?,00611129), ref: 00643852

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0416002fa35a50a3015abff99509e3de8c14274b924e370ffd8a871dfb3db463
Instruction ID: 7e66c58eb17d06bc2d0ec19fa3bfd4a4674128827f1dd98ae013bd0f2204d681
Opcode Fuzzy Hash: 0416002fa35a50a3015abff99509e3de8c14274b924e370ffd8a871dfb3db463
Instruction Fuzzy Hash: FC31BA72E0020AABDF249F64DC85EEE7BA6EB41710F054268FC04DB291EB35DD54CBA0

Function 006A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 006A5352
GetWindowLongW.USER32(?,000000F0), ref: 006A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A53A8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0fce85f4dbfeb3ce3a265b84225e162e8a6fc74c1cb9b75266a3e93b30ba2a38
Instruction ID: fa0fc86856d30ae8bb90e24192c560ec4e509a827bc5e87ea2d095e4fa34eb19
Opcode Fuzzy Hash: 0fce85f4dbfeb3ce3a265b84225e162e8a6fc74c1cb9b75266a3e93b30ba2a38
Instruction Fuzzy Hash: F131C330A55A08EFEF20FB14CC55BE83767AB87390F585041FA12962E1E7B0AD409F81

Function 0067AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0067ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0067AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0067AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0067ACC6

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 510fbdc3c4ab6012192f278e0b1389c18c5646f5488a656e34734ba29ed40882
Instruction ID: badd47ec6ab139f98e9a68e04a3875c62efaadd2c990459d97b121156152a263
Opcode Fuzzy Hash: 510fbdc3c4ab6012192f278e0b1389c18c5646f5488a656e34734ba29ed40882
Instruction Fuzzy Hash: 10310830A006187FEF36CBA58C05BFE7BA7ABC5320F04D31AE489922D1D37599858B56

Function 006A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006A769A
GetWindowRect.USER32(?,?), ref: 006A7710
PtInRect.USER32(?,?,006A8B89), ref: 006A7720
MessageBeep.USER32(00000000), ref: 006A778C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2e7804605b5ace2178304ac2d8ecf0e98dd393246873eb63e1097ac6122d9cdf
Instruction ID: 3620c788e15efe7900296bfb0997cfa105083d260c1bc1cf20c8375296d546b0
Opcode Fuzzy Hash: 2e7804605b5ace2178304ac2d8ecf0e98dd393246873eb63e1097ac6122d9cdf
Instruction Fuzzy Hash: 7A416834A092549FCB01EF58DC94EA9B7F6BB4A314F1950A8E8149F361D730ED42CF90

Function 006A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006A16EB

Part of subcall function 00673A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00673A57
Part of subcall function 00673A3D: GetCurrentThreadId.KERNEL32 ref: 00673A5E
Part of subcall function 00673A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006725B3), ref: 00673A65

GetCaretPos.USER32(?), ref: 006A16FF
ClientToScreen.USER32(00000000,?), ref: 006A174C
GetForegroundWindow.USER32 ref: 006A1752

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 89a7c805c350abd898e5d02d345e33c67851613ccd794f61f82c361e1964b90d
Instruction ID: fa546d4267e55933fbdc9841d6dc1ea909afd472db0b32ef975d551a158b23d3
Opcode Fuzzy Hash: 89a7c805c350abd898e5d02d345e33c67851613ccd794f61f82c361e1964b90d
Instruction Fuzzy Hash: BC311D75D00249AFC744EFA9C8818EEBBFAEF89314B5480A9E415E7211D631EE45CFA4

Function 006A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

GetCursorPos.USER32(?), ref: 006A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00667711,?,?,?,?,?), ref: 006A9016
GetCursorPos.USER32(?), ref: 006A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00667711,?,?,?), ref: 006A9094

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c420e34079a71db128bf22b7c52c21467543865cc60ac7724cc44aa292ec0133
Instruction ID: 82331b63fff4c540fd801a4104ba11fc0b855579b7cc0f23c4e14440581fd58c
Opcode Fuzzy Hash: c420e34079a71db128bf22b7c52c21467543865cc60ac7724cc44aa292ec0133
Instruction Fuzzy Hash: C7216035600118EFDB299F94D858EEA7BBBEB8B3A0F244059F5054B261C731AD50EF70

Function 0067D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006ACB68), ref: 0067D2FB
GetLastError.KERNEL32 ref: 0067D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0067D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006ACB68), ref: 0067D376

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a57104caaaf90d0779baaaa507c4f760ef430fe2dfb409967008a41dbac9a9d6
Instruction ID: 6a7babd7a4635cf640a10b908999f0baf7c58a1b1e4940743dc9fbca50c00251
Opcode Fuzzy Hash: a57104caaaf90d0779baaaa507c4f760ef430fe2dfb409967008a41dbac9a9d6
Instruction Fuzzy Hash: 752171705052019FC710EF24C8818AA77F6AE57778F148E1DF499C72A1DB31DA46CBA7

Function 00671571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00671014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0067102A
Part of subcall function 00671014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00671036
Part of subcall function 00671014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00671045
Part of subcall function 00671014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0067104C
Part of subcall function 00671014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00671062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006715BE
_memcmp.LIBVCRUNTIME ref: 006715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00671617
HeapFree.KERNEL32(00000000), ref: 0067161E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3c79d50f9f6d7844b2bc0308ffd8f44c9330364b77198184d48aab7437186a37
Instruction ID: 1b3e4a3d78987982322d98505ad9f91a7b89b351f52a3960219183e45d1cb652
Opcode Fuzzy Hash: 3c79d50f9f6d7844b2bc0308ffd8f44c9330364b77198184d48aab7437186a37
Instruction Fuzzy Hash: 2E218E71E00108EFDF14EFA8C945BEEB7BAEF46354F18845AE445AB241E730AA05DF90

Function 006A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006A2840

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 715258b0997acb9c78fb99270c1a89d41307a11d6930984f8c1f378d1ae7a22d
Instruction ID: 0175bd037269eff28c92de8e41c100e0c4dac2de563f4eaf519620c18e26ec12
Opcode Fuzzy Hash: 715258b0997acb9c78fb99270c1a89d41307a11d6930984f8c1f378d1ae7a22d
Instruction Fuzzy Hash: 9421C431644512AFD714AB28C854FAA7797AF46324F14815CF4268B6E2CB75FD82CF90

Function 006778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00678D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0067790A,?,000000FF,?,00678754,00000000,?,0000001C,?,?), ref: 00678D8C
Part of subcall function 00678D7D: lstrcpyW.KERNEL32(00000000,?,?,0067790A,?,000000FF,?,00678754,00000000,?,0000001C,?,?,00000000), ref: 00678DB2
Part of subcall function 00678D7D: lstrcmpiW.KERNEL32(00000000,?,0067790A,?,000000FF,?,00678754,00000000,?,0000001C,?,?), ref: 00678DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00678754,00000000,?,0000001C,?,?,00000000), ref: 00677923
lstrcpyW.KERNEL32(00000000,?,?,00678754,00000000,?,0000001C,?,?,00000000), ref: 00677949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00678754,00000000,?,0000001C,?,?,00000000), ref: 00677984

Strings

cdecl, xrefs: 0067797B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 890d36e949e659a5653e27a5b4979c51f48cd49f4cd78132f1f1ab8435f60b29
Instruction ID: 939f92eddddf2a1ea73b152c763977732076344d269cff8d88269f0e198ed182
Opcode Fuzzy Hash: 890d36e949e659a5653e27a5b4979c51f48cd49f4cd78132f1f1ab8435f60b29
Instruction Fuzzy Hash: 3911D63A201201AFCB156F34D845DBA77A6FF95350B50802EF94AC7364EF719C11CB95

Function 006A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 006A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 006A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0068B7AD,00000000), ref: 006A7D6B

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: be08f4c64b0669b9ec1029bc38f5f1ab3d786d23f982146e9dedee920028423d
Instruction ID: 5ff7c66bf9501acfcf612abd0f960a06a3a7b98e7458f063ff4d99441877f277
Opcode Fuzzy Hash: be08f4c64b0669b9ec1029bc38f5f1ab3d786d23f982146e9dedee920028423d
Instruction Fuzzy Hash: 14115E31605665AFCB10AF28DC44AAA3BA6AF47370B155724F835DB2E0D7309D51DF50

Function 006A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006A56BB
_wcslen.LIBCMT ref: 006A56CD
_wcslen.LIBCMT ref: 006A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A5816

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: d16d5affe0fe2a3951cdb3acc31aecd9029ffe3507fa586d834b536985c53eac
Instruction ID: b3c9f1830383229bff7fdd17cec0aaa654f367bcdbc2bcd66b52c5d7b5d83b09
Opcode Fuzzy Hash: d16d5affe0fe2a3951cdb3acc31aecd9029ffe3507fa586d834b536985c53eac
Instruction Fuzzy Hash: 7511B17160061896DF20EF618C85AEE77AEEF16760F10512AF916DA181EB70DE84CFA4

Function 00641D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97274fc83993599f9ca1dee1b8a86a7a95d6993072a1da4cae965963496152d9
Instruction ID: 2f5987c7e6e9df6bff7d24d39bf1008b0efebebc6ecb8f370dc10381af4124f4
Opcode Fuzzy Hash: 97274fc83993599f9ca1dee1b8a86a7a95d6993072a1da4cae965963496152d9
Instruction Fuzzy Hash: 4801F2F2A096063EF71026786CC0FA7261FDF823B8B34132AF530592D2DB709C804134

Function 00671A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00671A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00671A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00671A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00671A8A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bb7e26e1da7aed5c45cc6c0771fe56505f152180fe1283e688ddcb3cddda35e9
Instruction ID: 2d7ee36fcb0cdf3b38d17f75ff71cd88d29137af099f1b5cd8b6c495ede4a8f0
Opcode Fuzzy Hash: bb7e26e1da7aed5c45cc6c0771fe56505f152180fe1283e688ddcb3cddda35e9
Instruction Fuzzy Hash: 0F113C3AD01219FFEB10DBA8CD85FADBB79EB05750F204092E604B7290D6716E50DB94

Function 0067E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0067E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0067E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0067E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0067E24D

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 674ecd6fa745b5333ac9a431dcf9ebf153614386a79088d4326295511ac17a57
Instruction ID: 06778db8f9c5ee0985e1ce26c4726f2dafb3bb3946fc8575d682f5fc3ece401f
Opcode Fuzzy Hash: 674ecd6fa745b5333ac9a431dcf9ebf153614386a79088d4326295511ac17a57
Instruction Fuzzy Hash: 6311DB76E04354BBC701AFA89C45ADF7FAF9B46320F148255F928D7391DA71DE048BA0

Function 0063D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0063CFF9,00000000,00000004,00000000), ref: 0063D218
GetLastError.KERNEL32 ref: 0063D224
__dosmaperr.LIBCMT ref: 0063D22B
ResumeThread.KERNEL32(00000000), ref: 0063D249

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 398145752c0b0c92d6654faebd4865394a6efd6cf2d6dff85149e8abadeba8b5
Instruction ID: 8fd6127ff36c61a9e4e4435dc98ef2b47c12f4c250c2ae9bab5448c4a4b106c7
Opcode Fuzzy Hash: 398145752c0b0c92d6654faebd4865394a6efd6cf2d6dff85149e8abadeba8b5
Instruction Fuzzy Hash: F5019636805104BBDB116BA5EC05BAB7A6BDF82731F104219F925961D0DF71DA05C7E0

Function 006A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00629BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00629BB2

GetClientRect.USER32(?,?), ref: 006A9F31
GetCursorPos.USER32(?), ref: 006A9F3B
ScreenToClient.USER32(?,?), ref: 006A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 006A9F7A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 50a2756e86f0014cebbd8d74041b638c1879f0104bb134031ef0b3a7fca6d9bf
Instruction ID: d9043df0a78fdecff280914ae2f4a0590acefc1a5d4cd137c665b4d58cbec637
Opcode Fuzzy Hash: 50a2756e86f0014cebbd8d74041b638c1879f0104bb134031ef0b3a7fca6d9bf
Instruction Fuzzy Hash: 7E11223290025AAFDB14EFA8D8899EE77BAEB46311F200455FA01E7140D330BE91CFB5

Function 0061600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0061604C
GetStockObject.GDI32(00000011), ref: 00616060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0061606A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 62a433d513022a282d85ac32b4c71a621258957b2c4f5f6fc931359dab9a4542
Instruction ID: ca8a1347e669d4d64810ee323b8bca77857d42afdb38b81b315ad9e71c8ae96e
Opcode Fuzzy Hash: 62a433d513022a282d85ac32b4c71a621258957b2c4f5f6fc931359dab9a4542
Instruction Fuzzy Hash: 5E11A172501508BFEF129FA4CD54EEABB6AEF0D365F041105FA0452110D732ECA0EF90

Function 00633B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00633B56

Part of subcall function 00633AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00633AD2
Part of subcall function 00633AA3: ___AdjustPointer.LIBCMT ref: 00633AED

_UnwindNestedFrames.LIBCMT ref: 00633B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00633B7C
CallCatchBlock.LIBVCRUNTIME ref: 00633BA4

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 49e4a6900df86e9e183b88ef14aab284b88dd13be1ae08b2add53e9da80f7c19
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EE014C32100148BBDF125E95CC42EEB7F6EEF58754F044018FE4866221C736E961DBE4

Function 00643073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006113C6,00000000,00000000,?,0064301A,006113C6,00000000,00000000,00000000,?,0064328B,00000006,FlsSetValue), ref: 006430A5
GetLastError.KERNEL32(?,0064301A,006113C6,00000000,00000000,00000000,?,0064328B,00000006,FlsSetValue,006B2290,FlsSetValue,00000000,00000364,?,00642E46), ref: 006430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0064301A,006113C6,00000000,00000000,00000000,?,0064328B,00000006,FlsSetValue,006B2290,FlsSetValue,00000000), ref: 006430BF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 43b3d6dc88efd56025d5de549e2a165c1343172b767501a3643f804b551d12c6
Instruction ID: 0d1bc9a9a5df5f593ae5b756038c66aefd031cb84b78eeff52c5262ae975e12a
Opcode Fuzzy Hash: 43b3d6dc88efd56025d5de549e2a165c1343172b767501a3643f804b551d12c6
Instruction Fuzzy Hash: 6101A732705332ABDB315B799C45A977B9AAF46F71B210720F915E7340D721DA41CAE0

Function 00677464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0067747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00677497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006774CA

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d46d8a8bcf10a429790f28840833e946f6e7eb926b171f70f2491b6852305bc5
Instruction ID: b293c14424a41d632b1afd48bce02a0842ce35a935eb8002706fb205b0113296
Opcode Fuzzy Hash: d46d8a8bcf10a429790f28840833e946f6e7eb926b171f70f2491b6852305bc5
Instruction Fuzzy Hash: F3118BB1209314ABE720DF24DC08BA2BBFEEB04B10F10C569A61AD6195D7B0E904DF60

Function 0067B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0067ACD3,?,00008000), ref: 0067B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0067ACD3,?,00008000), ref: 0067B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0067ACD3,?,00008000), ref: 0067B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0067ACD3,?,00008000), ref: 0067B126

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1b3354c19f2d97237ccff5ba73868a2d0275cd5eb1b5249be6290b77ce2a4ce0
Instruction ID: e4e26a8eab9f207cc3130f48c62a8a96dbb07b575a5a8ccc98b8645b37476c5a
Opcode Fuzzy Hash: 1b3354c19f2d97237ccff5ba73868a2d0275cd5eb1b5249be6290b77ce2a4ce0
Instruction Fuzzy Hash: C5113931E01529EBCF00EFA4E9687EEBB7AFF0A721F509096D945B2281CB305A518B55

Function 006A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006A7E33
ScreenToClient.USER32(?,?), ref: 006A7E4B
ScreenToClient.USER32(?,?), ref: 006A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006A7E8A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9f83be1b28348d5c024a14cffd8fd56d40fda9df5614959e25c4adcaecef6b9c
Instruction ID: 9a1db2863798f055b412e1e2bdb23f5b9b55efa542b45dd32c619b1a0a3f2801
Opcode Fuzzy Hash: 9f83be1b28348d5c024a14cffd8fd56d40fda9df5614959e25c4adcaecef6b9c
Instruction Fuzzy Hash: 1D1123B9D0024AAFDB41DF98C884AEEBBF9FF19310F509066E915E3210D735AA55CF90

Function 00672DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00672DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00672DD6
GetCurrentThreadId.KERNEL32 ref: 00672DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00672DE4

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c3008599df16c54017b562759a0d4474ab6d6731ff99e7c77a2dc04ddc652752
Instruction ID: af31e54314367f16b69c638f595e1643dfb65d54cb0c7efa0e904ad831244979
Opcode Fuzzy Hash: c3008599df16c54017b562759a0d4474ab6d6731ff99e7c77a2dc04ddc652752
Instruction Fuzzy Hash: 47E092716012247BD7306B729C0DFEB7E6EEF43BB1F106015F109D1080DAA0D841DAB0

Function 006A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00629639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00629693
Part of subcall function 00629639: SelectObject.GDI32(?,00000000), ref: 006296A2
Part of subcall function 00629639: BeginPath.GDI32(?), ref: 006296B9
Part of subcall function 00629639: SelectObject.GDI32(?,00000000), ref: 006296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006A8887
LineTo.GDI32(?,?,?), ref: 006A8894
EndPath.GDI32(?), ref: 006A88A4
StrokePath.GDI32(?), ref: 006A88B2

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 072d463d1b380b340bf1c8f1ee0cbbd65373f563523c61ff38e80ff64973cf3f
Instruction ID: 821ee6f2e0a59a88d9f4feac08a7c2335ee3c50a6762221d3153369ee0286755
Opcode Fuzzy Hash: 072d463d1b380b340bf1c8f1ee0cbbd65373f563523c61ff38e80ff64973cf3f
Instruction Fuzzy Hash: FBF03A36045258BAEB126F94AC0DFCE3A5AAF07320F448000FA11691E2CB796911DFE9

Function 006298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006298CC
SetTextColor.GDI32(?,?), ref: 006298D6
SetBkMode.GDI32(?,00000001), ref: 006298E9
GetStockObject.GDI32(00000005), ref: 006298F1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9c5073211b9526d317a4e6d9fa444477fbb33265f23dc4559ffd80841525b44a
Instruction ID: 73fb7bac17d39d33d15a4d46bf3325d9d4f22d1e65e7e961d1eec6c6aa42cefd
Opcode Fuzzy Hash: 9c5073211b9526d317a4e6d9fa444477fbb33265f23dc4559ffd80841525b44a
Instruction Fuzzy Hash: 71E06531644680AADB216B78BC19BD83F52EB53335F048219F6F6541E1C7715A509F20

Function 0067162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00671634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006711D9), ref: 0067163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006711D9), ref: 00671648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006711D9), ref: 0067164F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ab71f62787b6b8d9ef17e2984a428eb10c4662b0b95f1f7a0f632ff937805757
Instruction ID: 6a4178c23ac5ec6941d1f0d105f755d2e91614b6b627ab94924edf4f4c087ae6
Opcode Fuzzy Hash: ab71f62787b6b8d9ef17e2984a428eb10c4662b0b95f1f7a0f632ff937805757
Instruction Fuzzy Hash: 1FE08631601211DBD7202FA49D0DF877B7EAF467A1F148809F245CD080D6345580CF50

Function 0066D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0066D858
GetDC.USER32(00000000), ref: 0066D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0066D882
ReleaseDC.USER32(?), ref: 0066D8A3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 103cfe4b077ee09c28aabe1c31ce6cbf635debc81a37de81c3ad6ad16e560456
Instruction ID: 3e843dfb9a29f65788b89c448c9920646bf494fec799764cf9474a42a211ce1f
Opcode Fuzzy Hash: 103cfe4b077ee09c28aabe1c31ce6cbf635debc81a37de81c3ad6ad16e560456
Instruction Fuzzy Hash: 92E09AB5900205EFCB41AFA0D90C66DFBF7FB49321F14A459E846E7360CB39A942AF50

Function 0066D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0066D86C
GetDC.USER32(00000000), ref: 0066D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0066D882
ReleaseDC.USER32(?), ref: 0066D8A3

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6e5802d563f2fac244b702263c184540181af379074924686a1cb890e3367901
Instruction ID: 77dc42ced19b80cdd7d2d64b7f9a0a7cfd3fbbe3c890d2213e759576f8ef5525
Opcode Fuzzy Hash: 6e5802d563f2fac244b702263c184540181af379074924686a1cb890e3367901
Instruction Fuzzy Hash: 7FE09A75800204DFCB51AFA0D80866DFBF6BB49321B14A449E946E7360CB39A9429F50

Function 00684D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00617620: _wcslen.LIBCMT ref: 00617625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00684ED4

Strings

LPT, xrefs: 00684DFB
*, xrefs: 00684E10

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ed8abdb17d4d787679d0b322cdc3a8a4c0fcd2d924a6b64016c24a64e18e9df8
Instruction ID: fd1968cf97adb73fd20b2585c44655d174cc5edada741861db0c9b402f85d46c
Opcode Fuzzy Hash: ed8abdb17d4d787679d0b322cdc3a8a4c0fcd2d924a6b64016c24a64e18e9df8
Instruction Fuzzy Hash: 88916175A002059FCB14EF58C484EAABBF2BF84304F19819DE5069F362DB75ED85CB91

Function 00697771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0066569E,00000000,?,006ACC08,?,00000000,00000000), ref: 006978DD

Part of subcall function 00616B57: _wcslen.LIBCMT ref: 00616B6A

CharUpperBuffW.USER32(0066569E,00000000,?,006ACC08,00000000,?,00000000,00000000), ref: 0069783B

Strings

<sm, xrefs: 006977C8

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sm
API String ID: 3544283678-3844207158
Opcode ID: 56cd97d2915347aabbc9309156b08a8a54c78d5869539323c9bf9ddf09ddf8ba
Instruction ID: fc0965aced739af3553127c7bf07a5494e12681c39554eb767802f6b36066ffe
Opcode Fuzzy Hash: 56cd97d2915347aabbc9309156b08a8a54c78d5869539323c9bf9ddf09ddf8ba
Instruction Fuzzy Hash: D3615F76924128AACF44FBE4CC91DFDB37AFF14300B485529F542A7191EF306A86DBA4

Function 0062E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0062E1B1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9be1d74d5ed524bbef311e562996da70f069be18d7e2e9695c12745d989a6873
Instruction ID: b3618f4d473a3741f6f7a040e2a5f23ed97313f554a8bb6334dabd621b87a52a
Opcode Fuzzy Hash: 9be1d74d5ed524bbef311e562996da70f069be18d7e2e9695c12745d989a6873
Instruction Fuzzy Hash: 98512639501256DFDF15DF28D4416FA7BABEF16310F248069E8929B3C0D6369E43CBA0

Function 0062F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0062F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0062F2BB

Strings

@, xrefs: 0062F2AF

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6afdad47c49fd6f121b02e39758f31f513ad6718ebf20cb397ba3cb38f9a026c
Instruction ID: 9201c7bac5cc80386b61fd44e44bcd465d7c266f9a6d2989d918855cb814a7f9
Opcode Fuzzy Hash: 6afdad47c49fd6f121b02e39758f31f513ad6718ebf20cb397ba3cb38f9a026c
Instruction Fuzzy Hash: B75166714087449BD320AF10DC86BAFBBF9FF85310F85885CF1D9420A5EB309569CB6A

Function 00695745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006957E0
_wcslen.LIBCMT ref: 006957EC

Strings

CALLARGARRAY, xrefs: 006957E6, 006957EB

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d6f7591592c70dd987f602d3372996a8bac0c7eb060129f06f52ffc079e9076c
Instruction ID: 64c82bc1258b7227d1c53f303c9e6892791dbf81a64eba567d22947463725daa
Opcode Fuzzy Hash: d6f7591592c70dd987f602d3372996a8bac0c7eb060129f06f52ffc079e9076c
Instruction Fuzzy Hash: 8F418D71A005199FCF04EFA8C9859EEBBBAEF59320F14806DE506A7351E7309D81CB90

Function 0068D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0068D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0068D13A

Strings

|, xrefs: 0068D10B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2d55721a9d4c607554f64cf4f9d5ef34f7388a32844bd6c6d89f1648345e8bf2
Instruction ID: 44918de8ce3cea058e2a9a78e08bd8134829658b66dce94fadec4f2fa8e4fb12
Opcode Fuzzy Hash: 2d55721a9d4c607554f64cf4f9d5ef34f7388a32844bd6c6d89f1648345e8bf2
Instruction Fuzzy Hash: 27316F75D00209ABCF55EFA4CC85EEEBFBAFF04304F040119F815A6265DB31AA46DB64

Function 006A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006A365C

Strings

static, xrefs: 006A35BC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a05ab6c2cc818c84d5b86410141b00dc6e4bf0d2842172468b18fe28e38a9da8
Instruction ID: f10e8eda12df2d627857d1af246c2a3f3432128deb5fe88673c4cf71eaec9b33
Opcode Fuzzy Hash: a05ab6c2cc818c84d5b86410141b00dc6e4bf0d2842172468b18fe28e38a9da8
Instruction Fuzzy Hash: FE319071500604AEDB10EF68DC80EFB73AAFF89720F00961DF8A597290DA31ED81DB64

Function 006A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 006A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A4634

Strings

', xrefs: 006A458E

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2cabd1edac776a6a8d842ced0b22f10427daf41f74ae3efa3a793937947afd8a
Instruction ID: 65ee0e52bb25c7545115cb2233fe5c2c366697039f3a013b654da896d06132d8
Opcode Fuzzy Hash: 2cabd1edac776a6a8d842ced0b22f10427daf41f74ae3efa3a793937947afd8a
Instruction Fuzzy Hash: 82310774A013099FDB14DFA9C990BDA7BB6FF8A340F14506AE905AB351DBB0AD41CF90

Function 006A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A3287

Strings

Combobox, xrefs: 006A3249

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ae1cd9eaa4930c8bfa08b3cb5c14cb179e5872285cdad38412f489ad3f0719f8
Instruction ID: fa784549505b27cc9dc61473fca69c552224878a8d322c3a508e8879a8b77955
Opcode Fuzzy Hash: ae1cd9eaa4930c8bfa08b3cb5c14cb179e5872285cdad38412f489ad3f0719f8
Instruction Fuzzy Hash: 741193712002186FEF11AF54DC81FEB375BEB56364F104129F91497390D6319E519B60

Function 006A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0061600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0061604C
Part of subcall function 0061600E: GetStockObject.GDI32(00000011), ref: 00616060
Part of subcall function 0061600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0061606A

GetWindowRect.USER32(00000000,?), ref: 006A377A
GetSysColor.USER32(00000012), ref: 006A3794

Strings

static, xrefs: 006A3757

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cab352d0205acd4f31dcb650dcae9d3230aa924b0bef2af5d01e208d4429aed8
Instruction ID: 284ab07d44785e24533b40cbb3899534ab2e79375aeb139e3e8052ec21da7979
Opcode Fuzzy Hash: cab352d0205acd4f31dcb650dcae9d3230aa924b0bef2af5d01e208d4429aed8
Instruction Fuzzy Hash: 191129B2610219AFDB00EFA8CC45EFA7BB9EB0A354F005514F955E6250E735EC519F60

Function 0068CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0068CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0068CDA6

Strings

<local>, xrefs: 0068CD66

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 484cf578fc42044a929b59be9418d84ff6fc028ed42ca0c0d65dfa4281a0d853
Instruction ID: e68071d0d4a98634d2766064b62613788c64266370d75db5317b74e0a3b56b6e
Opcode Fuzzy Hash: 484cf578fc42044a929b59be9418d84ff6fc028ed42ca0c0d65dfa4281a0d853
Instruction Fuzzy Hash: 4A11C271205631BAD7387B668C49EE7BEAEEF527B4F00432AB10993180D7709842D7F0

Function 006A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006A34BA

Strings

edit, xrefs: 006A348F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 54cc76b0311c5820d2611ac547acefea015516fac887bfd5aa971706aa73d257
Instruction ID: 1f0f39d5860ed4e4eb9e88d625603b3d4f8b065d45664c006d12d7a66254a113
Opcode Fuzzy Hash: 54cc76b0311c5820d2611ac547acefea015516fac887bfd5aa971706aa73d257
Instruction Fuzzy Hash: 09116D71500218AFEB11AE64DC44AEB37ABEB0A374F504324F961973D0C771EC919F50

Function 00676C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

CharUpperBuffW.USER32(?,?,?), ref: 00676CB6
_wcslen.LIBCMT ref: 00676CC2

Strings

STOP, xrefs: 00676CBC, 00676CC1

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: de168874f4e88c991022c6f78d068feaf6cd5546f20d8418ec47730c9d297212
Instruction ID: 2a670e8a98f442b662379b71abbb15c81f4ca8fc7c11412f04258ae3718a1887
Opcode Fuzzy Hash: de168874f4e88c991022c6f78d068feaf6cd5546f20d8418ec47730c9d297212
Instruction Fuzzy Hash: 4F01D632A209268BCB21AFFDDC919FF77B7EF61710B104928F95697294EB31D940C650

Function 00671CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00671D4C

Strings

ComboBox, xrefs: 00671CEB
ListBox, xrefs: 00671D16

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b51204e674bdf9b9bcfcfc989b8bc32a3267b44c12af1fd8d7035b743c7d72bb
Instruction ID: e02b8db45b05158e9798fa9a14a996782c6a311b4d5918298ad8dead486f6acf
Opcode Fuzzy Hash: b51204e674bdf9b9bcfcfc989b8bc32a3267b44c12af1fd8d7035b743c7d72bb
Instruction Fuzzy Hash: 3F01D871601218ABCB58EBA8CD61DFE736AEF47390B04491FF8665B3C1EA3059089A70

Function 00671BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00671C46

Strings

ComboBox, xrefs: 00671BE5
ListBox, xrefs: 00671C10

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 02b9deca5695a3822acd4d4ce4f063087c3431709ee2af21ef247056d4a3992a
Instruction ID: a788bab0985f1f7818fe119d51f36ece4f5c9b0dca0e3173c578412509a69aff
Opcode Fuzzy Hash: 02b9deca5695a3822acd4d4ce4f063087c3431709ee2af21ef247056d4a3992a
Instruction Fuzzy Hash: D001FC71A4010466CB05E7D4C9629FF73AA9B12340F24401FA80A6B3C1EA249E4896B5

Function 00671C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00671CC8

Strings

ComboBox, xrefs: 00671C69
ListBox, xrefs: 00671C94

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 76c86c17113162529c428d10d4dddfc29c963989eb71467eeebc35ddfefbd3a8
Instruction ID: b2bbf6ab5687bde8655ac0ea479daa130370668e73c3f84420de741971e779ff
Opcode Fuzzy Hash: 76c86c17113162529c428d10d4dddfc29c963989eb71467eeebc35ddfefbd3a8
Instruction Fuzzy Hash: 6C01DB71A8011467CB15EBD4CB22AFE73AA9B12340F14401BB84677381EA249F08D6B5

Function 0062A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0062A529

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Strings

3yf, xrefs: 0062A545, 0062A54D, 0062A552
,%n, xrefs: 0062A509

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%n$3yf
API String ID: 2551934079-3074667597
Opcode ID: 723aba19b64687b74e8f9af562a428e74596c190ccd8dcf1bc1081909f8e501c
Instruction ID: 3a8e158f16d05426dc1114682a41193b1eecbf262926d03b8df46b62051d3350
Opcode Fuzzy Hash: 723aba19b64687b74e8f9af562a428e74596c190ccd8dcf1bc1081909f8e501c
Instruction Fuzzy Hash: 0C012B32700A615BD604F7E8E877ADE73AB9B05720F54041CF9026B2C2DE909D458EDF

Function 00671D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00619CB3: _wcslen.LIBCMT ref: 00619CBD

Part of subcall function 00673CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00673CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00671DD3

Strings

ComboBox, xrefs: 00671D75
ListBox, xrefs: 00671DA0

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b8330b2dee35a6787d22ba76a7daf852137ddced0fb068ce261512a410637f7e
Instruction ID: 774eebb0796718397c25adff794ce4227aef37db1307a64b80ce62465011b074
Opcode Fuzzy Hash: b8330b2dee35a6787d22ba76a7daf852137ddced0fb068ce261512a410637f7e
Instruction Fuzzy Hash: 99F0F471A4021466CB58F7A8CC62BFE737AAF02350F08091BB866673C1DA605A088AB4

Function 006A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E3018,006E305C), ref: 006A81BF
CloseHandle.KERNEL32 ref: 006A81D1

Strings

\0n, xrefs: 006A818A

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0n
API String ID: 3712363035-4020991082
Opcode ID: 2c7894e4e8223f51cfa77461a84fd1990eeb49b948e793265cc9b9e7bb01eed5
Instruction ID: 0df68895fde6b4af7bcf7743c332d869ba9e6eddb081f7c651ff12b0a7e2a48f
Opcode Fuzzy Hash: 2c7894e4e8223f51cfa77461a84fd1990eeb49b948e793265cc9b9e7bb01eed5
Instruction Fuzzy Hash: 04F089B1640350BEF7607B656C49FB73A9EDB05754F001464BB08DB2A1D6769E0487F8

Function 0069747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00697493
_wcslen.LIBCMT ref: 006974B9

Strings

3, 3, 16, 1, xrefs: 00697483

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 21847de3047cc9acf3b11fedb39a422edc0a3d061b74fa7bc50c5a8f80b1670b
Instruction ID: bfef9e1cfd153b085678f308abf8f765ec59fce5f48cafa9945022459a73ba13
Opcode Fuzzy Hash: 21847de3047cc9acf3b11fedb39a422edc0a3d061b74fa7bc50c5a8f80b1670b
Instruction Fuzzy Hash: DDE02B0262422010977112799CC1BBF97CFCFC9B60B14182FF985C23A7EE949D9193E5

Function 00670B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00670B23

Strings

AutoIt, xrefs: 00670B17
Error allocating memory., xrefs: 00670B1C

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ea0ab576ae5ea8aae29de7d9c7c680ef23d477e02f9664b370d248a47f06d7d4
Instruction ID: 8a4a356e8f1c897221fc90cc638da013933c672824a16f4410e91096809de3e1
Opcode Fuzzy Hash: ea0ab576ae5ea8aae29de7d9c7c680ef23d477e02f9664b370d248a47f06d7d4
Instruction Fuzzy Hash: C6E0D83124431836D2503754BC03FC9BA878F06F30F10046FF788555C38EE268904AED

Function 00630D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0062F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00630D71,?,?,?,0061100A), ref: 0062F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0061100A), ref: 00630D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0061100A), ref: 00630D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00630D7F

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 21b454029eedb18c55dcc0a3a2acadfec423610e3975916eda3a751d1d346f3b
Instruction ID: 6ac057316eb78082780037252a622addce36804886983ee00fc164a3f8ecc296
Opcode Fuzzy Hash: 21b454029eedb18c55dcc0a3a2acadfec423610e3975916eda3a751d1d346f3b
Instruction Fuzzy Hash: 15E06D702007518BE360AFBCE414386BBE2BF05740F00492DE482C6651DBB1E8888FE1

Function 0062E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0062E3D5

Strings

8%n, xrefs: 0062E3CA
0%n, xrefs: 0062E3B5

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%n$8%n
API String ID: 1385522511-62732156
Opcode ID: c41373b6c053532e651ca7afd7dd13fdf140712033101b594c4add55590fc0b6
Instruction ID: 9b5b32623837b2d920ff29b1db35c199888a194c46de48ffc9adaf59c57326ab
Opcode Fuzzy Hash: c41373b6c053532e651ca7afd7dd13fdf140712033101b594c4add55590fc0b6
Instruction Fuzzy Hash: 52E08635455FB5CBDB04DB18BABDACC339FBB05321B5021BDE1128B2D5DBB128418A99

Function 00683017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0068302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00683044

Strings

aut, xrefs: 00683038

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e6e3eb4b62932ef043e9a6ff89b742dd8f620d347c7744f97e8720e6a0f50382
Instruction ID: db4aaee0a11df49bee9f60f0d8e8f5028970bf116e499753058b44fc346b90b7
Opcode Fuzzy Hash: e6e3eb4b62932ef043e9a6ff89b742dd8f620d347c7744f97e8720e6a0f50382
Instruction Fuzzy Hash: B0D05B7150031467DB20A7949D0DFC73B6CD705760F000152B655D2091DAB0A644CED0

Function 0066D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0066D220

Strings

X64, xrefs: 0066D2A8
%.3d, xrefs: 0066D22B

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0236627c064ff4e3a75b32b7389fe08628d1b66288ada96f6ca75ba53ce57614
Instruction ID: 8af9a2d63a7999f3867292686813f77180531fc45993a8c310559ae9451bee6c
Opcode Fuzzy Hash: 0236627c064ff4e3a75b32b7389fe08628d1b66288ada96f6ca75ba53ce57614
Instruction Fuzzy Hash: B1D012A1D08118EACB9097D0DC559B9B37EAB18301F508462FA0691040E724D70A6B61

Function 006A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A236C
PostMessageW.USER32(00000000), ref: 006A2373

Part of subcall function 0067E97B: Sleep.KERNEL32 ref: 0067E9F3

Strings

Shell_TrayWnd, xrefs: 006A2365

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0eb75681ee2be0c021a7b94ec9ef99b416e2ee32a07902d911f44845ddbcc433
Instruction ID: 445696d12497bf715aa4a46def1bbc8c55d9048cb3db96cbde2959d46d534313
Opcode Fuzzy Hash: 0eb75681ee2be0c021a7b94ec9ef99b416e2ee32a07902d911f44845ddbcc433
Instruction Fuzzy Hash: 56D0C9327813107AE6A4B770DC0FFC666169B16B20F015916B755AA1D0C9A0B8058A58

Function 006A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006A233F

Part of subcall function 0067E97B: Sleep.KERNEL32 ref: 0067E9F3

Strings

Shell_TrayWnd, xrefs: 006A2325

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 948280385ec32c5e3964f1813169c2c262b32bf1ec2aa91b9501d4cb0dedd87b
Instruction ID: fb53fa70289b5cca497242c08a927ecb924599061bb351150114166274f472bb
Opcode Fuzzy Hash: 948280385ec32c5e3964f1813169c2c262b32bf1ec2aa91b9501d4cb0dedd87b
Instruction Fuzzy Hash: F3D01236794310B7E7A4B770DC0FFC67A169B16B20F015916B759AA1D0C9F0B805CE54

Function 0064BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0064BE93
GetLastError.KERNEL32 ref: 0064BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0064BEFC

Memory Dump Source

Source File: 00000000.00000002.1833957006.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1832766999.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1836820754.00000000006D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837424913.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1837472710.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9580c25be2ac140e452657066d356ab597412cee8be3907cc844ba5c0afea674
Instruction ID: 1c6340f71d5933a9ef8a95bf3d40fe12a42fa09dfd91ddaa3d61b358fa1f3292
Opcode Fuzzy Hash: 9580c25be2ac140e452657066d356ab597412cee8be3907cc844ba5c0afea674
Instruction Fuzzy Hash: C241F534600206AFCF618FA5CC44AFABBA7EF42360F14A169F95D972A1DB30DD05DB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.23 52.222.236.23
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1992610873.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010606323.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909523303.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1909180051.000001FD5D4C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1991132805.000001FD5AA34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1991132805.000001FD5AA58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996175177.000001FD5AA59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992610873.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909523303.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010606323.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2024067577.000001FD5D52E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SERP Ad Telemetry Rollout^application\/(?:.+\+)?json$https://www.amazon.co.uk/devtools.jsonview.enablednimbus-desktop-experimentsSSF_updateSessionStoreForStorageoptInToExperiment/recipe<https://www.facebook.com/__MSG_searchUrlGetParams__updateSessionStoreForStoragers-experiment-loader-timerhttps://www.leboncoin.fr/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1846500423.000001FD52266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991132805.000001FD5AA34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844621105.000001FD594E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1991132805.000001FD5AA58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996175177.000001FD5AA59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844621105.000001FD594E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3635611653.00000256D8403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3635611653.00000256D8403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3635611653.00000256D8403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3635410526.000001141FA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1910851998.000001FD5CF92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989867633.000001FD5CF92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992610873.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010606323.000001FD5D462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995221914.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2024067577.000001FD5D52E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995221914.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000610682.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015185974.000001FD532AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1991699816.000001FD59510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.23:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50058 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b0bd22ac-4b5a-46d3-bae1-657a8d7542cc.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b0bd22ac-4b5a-46d3-bae1-657a8d7542cc.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LZ2YW1XSG67FDESNELJ2.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MIIY1IP2EH99CYG5A62Z.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre