Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1533004
MD5:	e6629643e8305d91ff0457edb686f35c
SHA1:	24977a57a4130edd8e82dfaa6de8f6cf2a2a9625
SHA256:	fc83d3aec4b43b001f402b2e0717e75a612aa63d584c4fa6440262fba22c5353
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E6629643E8305D91FF0457EDB686F35C)

taskkill.exe (PID: 6096 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5040 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6536 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5308 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6728 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6444 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5284 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5492 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6692 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e542091b-9dc7-4550-9d17-5ca93cbf51d1} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a8b76d310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5948 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -parentBuildID 20230927232528 -prefsHandle 3356 -prefMapHandle 4428 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e7fab1-6afc-4bfb-bc0d-982fabcd3634} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a9dd28510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7640 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e25ea4-9a79-4ebf-bed9-2343228ad319} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23aa55c4d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5884	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0048EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0048ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0047AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0d07a02f-8
Source: file.exe, 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a1efd633-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_73f1d1c0-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d8f55d4c-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F509232 NtQuerySystemInformation,		17_2_000002526F509232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F502CB7 NtQuerySystemInformation,		17_2_000002526F502CB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0047D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0047E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BF40	0_2_0041BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482046	0_2_00482046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418060	0_2_00418060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478298	0_2_00478298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044E4FF	0_2_0044E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044676B	0_2_0044676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A4873	0_2_004A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAF0	0_2_0041CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CAA0	0_2_0043CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CC39	0_2_0042CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00446DD9	0_2_00446DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B119	0_2_0042B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004191C0	0_2_004191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431394	0_2_00431394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431706	0_2_00431706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043781B	0_2_0043781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042997D	0_2_0042997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417920	0_2_00417920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004319B0	0_2_004319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437A4A	0_2_00437A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431C77	0_2_00431C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437CA7	0_2_00437CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049BE44	0_2_0049BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449EEE	0_2_00449EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F32	0_2_00431F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F509232	17_2_000002526F509232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F502CB7	17_2_000002526F502CB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F50995C	17_2_000002526F50995C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002526F509272	17_2_000002526F509272

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00430A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00419CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@71/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004837B5 GetLastError,FormatMessageW,

0_2_004837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004710BF AdjustTokenPrivileges,CloseHandle,		0_2_004710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0048648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2363979524.0000023A9F04F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368406807.0000023A9F04C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	Virustotal: Detection: 35%
Source: file.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e542091b-9dc7-4550-9d17-5ca93cbf51d1} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a8b76d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -parentBuildID 20230927232528 -prefsHandle 3356 -prefMapHandle 4428 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e7fab1-6afc-4bfb-bc0d-982fabcd3634} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a9dd28510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e25ea4-9a79-4ebf-bed9-2343228ad319} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23aa55c4d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e542091b-9dc7-4550-9d17-5ca93cbf51d1} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a8b76d310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -parentBuildID 20230927232528 -prefsHandle 3356 -prefMapHandle 4428 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e7fab1-6afc-4bfb-bc0d-982fabcd3634} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a9dd28510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e25ea4-9a79-4ebf-bed9-2343228ad319} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23aa55c4d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2310807085.0000023A9B578000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310085075.0000023A9B57B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311697450.0000023A9B57B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309316298.0000023A9B578000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2315012026.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2313943002.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2315012026.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2315012026.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2313943002.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2311459024.0000023AA5B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2315012026.0000023A9B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2311459024.0000023AA5B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2310807085.0000023A9B578000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310085075.0000023A9B57B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311697450.0000023A9B57B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309316298.0000023A9B578000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430A76 push ecx; ret

0_2_00430A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0042F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95958

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002526F509232 rdtsc

17_2_000002526F509232

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0047DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C2A2 FindFirstFileExW,	0_2_0044C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004868EE FindFirstFileW,FindClose,	0_2_004868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0048698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00489642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0048979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00489B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00485C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00485C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: firefox.exe, 00000010.00000002.3412350386.00000258FB94A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW",x
Source: firefox.exe, 00000011.00000002.3416413216.000002526FA30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3411495514.000002526F21A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3416325967.00000177473D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3411364076.0000017746F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3417095701.00000258FBF16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3412350386.00000258FB94A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp4
Source: firefox.exe, 00000010.00000002.3412350386.00000258FB94A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3417805535.00000258FC340000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3416413216.000002526FA30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002526F509232 rdtsc

17_2_000002526F509232

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048EAA2 BlockInput,

0_2_0048EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00442622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00434CE8 mov eax, dword ptr fs:[00000030h]

0_2_00434CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00470B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00470B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00442622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004309D5 SetUnhandledExceptionFilter,	0_2_004309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430C21

Source: C:\Users\user\Desktop\file.exe

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00452BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00452BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047B226 SendInput,keybd_event,

0_2_0047B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00470B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00471663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430698 cpuid

0_2_00430698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00488195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00488195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D27A GetUserNameW,

0_2_0046D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0044B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5884, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5884, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00491204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00491806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	36%	Virustotal		Browse
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/to-google-translate/	0%	Virustotal		Browse
https://content-signature-2.cdn.mozilla.net/	0%	Virustotal		Browse
https://ok.ru/	0%	Virustotal		Browse
https://www.amazon.com/	0%	Virustotal		Browse
https://youtube.com/account?=	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	0%	Virustotal		Browse
http://mozilla.org/MPL/2.0/.	0%	Virustotal		Browse
http://youtube.com/	0%	Virustotal		Browse
https://addons.mozilla.org/	0%	Virustotal		Browse
https://duckduckgo.com/?t=ffab&q=	0%	Virustotal		Browse
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	0%	Virustotal		Browse
https://www.iqiyi.com/	0%	Virustotal		Browse
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.65	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.120	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.142	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.185.174	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.193.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://youtube.com/account?=https://accounts.google.co7N1Q	firefox.exe, 00000010.00000002.3416657193.00000258FBE50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2247428365.0000023AA354D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297849589.0000023AA354D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F4C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3412744120.00000177472D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2404437773.0000023A9D1E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2352823943.0000023AA556C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352718319.0000023AA55CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294309123.0000023AA556C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294157952.0000023AA55CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2320982354.0000023AA3649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300490116.0000023AA3649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214891664.0000023AA365C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213600323.0000023AA3657000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3413802707.00000258FBDEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F4E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3416540811.0000017747503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3413209377.000002526F486000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3412744120.000001774728F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2223814384.0000023AA3C1E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2234727593.0000023AA3A12000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2294309123.0000023AA5539000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2196610169.0000023A9B938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196293263.0000023A9B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196768193.0000023A9B953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197118656.0000023A9B98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196935171.0000023A9B96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196453337.0000023A9B91D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2235737120.0000023A9D180000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375983965.0000023A9D345000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2364078677.0000023A9F032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2247428365.0000023AA35EC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2407817037.0000023AA37CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2377501500.0000023A9D171000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196610169.0000023A9B938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196293263.0000023A9B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327353819.0000023A9D4F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196768193.0000023A9B953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197118656.0000023A9B98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315856031.0000023A9D4F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196935171.0000023A9B96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196453337.0000023A9B91D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2387005956.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360409338.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2196610169.0000023A9B938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196293263.0000023A9B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196768193.0000023A9B953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196935171.0000023A9B96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196453337.0000023A9B91D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2356812524.0000023AA349D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2367830249.0000023AA3A27000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2401224791.0000023AA7865000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2355113692.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2380649488.0000023A9F15A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2225442396.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388385344.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2355113692.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3412744120.000001774720C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2279271181.0000023A9CB84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280345064.0000023A9CB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280245529.0000023A9CB95000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2371062065.0000023AA38F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234811367.0000023AA38E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247069418.0000023AA38E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386060977.0000023AA38F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295485167.0000023AA38D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355851550.0000023AA38E7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2406983214.0000023AA7837000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2355113692.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F4C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3412744120.00000177472D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2374528783.0000023A9DC75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2279271181.0000023A9CB84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280345064.0000023A9CB9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2248850675.0000023A9D2D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2294157952.0000023AA55CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2235737120.0000023A9D180000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375983965.0000023A9D345000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	0%, Virustotal, Browse	unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2407385481.0000023AA5576000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2383967753.0000023A9CF81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3413802707.00000258FBDEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F4E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3416540811.0000017747503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3413802707.00000258FBDEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F4E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3416540811.0000017747503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2380649488.0000023A9F160000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2223814384.0000023AA3C1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3412744120.0000017747213000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3415959562.00000177473C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2294929989.0000023AA4AAA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2247428365.0000023AA35EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2410517697.0000023A9CCC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2279342072.0000023A9CB7F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2247140372.0000023AA37C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250690915.0000023A9D2E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315432905.0000023A9CAD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202401080.0000023A9BCD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350868598.0000023A9D473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248850675.0000023A9D2D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352343402.0000023A9D42F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313185712.0000023A9CBC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2383410778.0000023A9D13E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246601397.0000023A9D294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296321433.0000023AA383F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2328317336.0000023A9D2DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403371446.0000023A9EF50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233981437.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249572387.0000023A9D2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2408718741.0000023AA370F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339789207.0000023A9D2C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248451900.0000023A9D298000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301413733.0000023AA3605000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249572387.0000023A9D296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213364544.0000023AA36E1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2387005956.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360409338.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2296273058.0000023AA384A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2387005956.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360409338.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2225442396.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388385344.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296364008.0000023AA381A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2225442396.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388385344.0000023A9CDF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296364008.0000023AA381A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2410517697.0000023A9CCC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2320982354.0000023AA3649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300490116.0000023AA3649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214891664.0000023AA365C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213600323.0000023AA3657000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2371277871.0000023AA37C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2401982609.0000023AA37D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2233981437.0000023AA3A26000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2279271181.0000023A9CB84000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2353894730.0000023AA4A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2333790862.0000023AA4A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2384801518.0000023AA4A1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2365114794.0000023A9E3E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2279271181.0000023A9CB84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280459652.0000023A9CBB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280345064.0000023A9CB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280245529.0000023A9CB95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280041043.0000023A9CB73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2406983214.0000023AA7837000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2355113692.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360409338.0000023A9EFB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3413428425.00000258FBB10000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3412214430.000002526F270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3415748378.0000017747320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2294157952.0000023AA55CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352345354.0000023AA78B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.120	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533004
Start date and time:	2024-10-14 09:45:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@71/11
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.25.49.43, 35.83.8.120, 52.26.161.5, 142.250.185.202, 142.250.184.202, 142.250.186.142, 2.22.61.59, 2.22.61.56, 216.58.206.46
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 5492 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:46:27	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.120	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	34.117.39.58
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	34.1.241.144
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	34.159.179.219
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	51.17.46.145
AMAZON-02US	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	44.233.210.92
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	3.160.150.33
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	na.elf	Get hash	malicious	Mirai	Browse	44.234.206.43
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	13.33.187.32
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
ATGS-MMD-ASUS	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	34.1.241.144
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	34.159.179.219
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	51.17.46.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b150bc98-a738-458b-b244-0861ebdfb702.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181223914221474
Encrypted:	false
SSDEEP:	192:DKMiRNGcbhbVbTbfbRbObtbyEl7n0rjJA6wnSrDtTkd/S/h:DP/cNhnzFSJUr6jnSrDhkd/Y
MD5:	9327AA602295C4C819E94FC7BD6CE4F9
SHA1:	4BC901C3CC913672AEE7174548794987D1E859F5
SHA-256:	CC3B52BBA242963DBABEF7876AA233C8D74FF273AA4F2C5517DF623C0A9A59DF
SHA-512:	063CFEEA666B52ACD8A59BB0871DBB6E17FC22BFC2A035785D3F4814BD33E8D8C85377CACBFDB7B2A06A7897973CE0ECD4FF0F973676F871BF6E6EF057DCCAF4
Malicious:	false
Preview:	{"type":"uninstall","id":"b150bc98-a738-458b-b244-0861ebdfb702","creationDate":"2024-10-14T09:43:09.895Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b150bc98-a738-458b-b244-0861ebdfb702.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181223914221474
Encrypted:	false
SSDEEP:	192:DKMiRNGcbhbVbTbfbRbObtbyEl7n0rjJA6wnSrDtTkd/S/h:DP/cNhnzFSJUr6jnSrDhkd/Y
MD5:	9327AA602295C4C819E94FC7BD6CE4F9
SHA1:	4BC901C3CC913672AEE7174548794987D1E859F5
SHA-256:	CC3B52BBA242963DBABEF7876AA233C8D74FF273AA4F2C5517DF623C0A9A59DF
SHA-512:	063CFEEA666B52ACD8A59BB0871DBB6E17FC22BFC2A035785D3F4814BD33E8D8C85377CACBFDB7B2A06A7897973CE0ECD4FF0F973676F871BF6E6EF057DCCAF4
Malicious:	false
Preview:	{"type":"uninstall","id":"b150bc98-a738-458b-b244-0861ebdfb702","creationDate":"2024-10-14T09:43:09.895Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.920139256978214
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNtlZ9Rdu:8S+OVPUFRbOdwNIOdYpjvY1Q6LslZJ8P
MD5:	A1C050C4B2AEFC92734281C4C865BDBC
SHA1:	BCDA957F6DD80EC2EDF3F8BE897778E846DA209D
SHA-256:	40327F5C29A243B150F66436D1A1B5ED39200846F106A8E3BF3B9F0005E54B9F
SHA-512:	D1F521D68FCCF384169CB95096CAFEBAE85F98C4B7208E04E6B6E3953A1F138817F136404497953477F3744F8EB600361CAFA6A7FA9516FB7709577691059AA0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.920139256978214
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNtlZ9Rdu:8S+OVPUFRbOdwNIOdYpjvY1Q6LslZJ8P
MD5:	A1C050C4B2AEFC92734281C4C865BDBC
SHA1:	BCDA957F6DD80EC2EDF3F8BE897778E846DA209D
SHA-256:	40327F5C29A243B150F66436D1A1B5ED39200846F106A8E3BF3B9F0005E54B9F
SHA-512:	D1F521D68FCCF384169CB95096CAFEBAE85F98C4B7208E04E6B6E3953A1F138817F136404497953477F3744F8EB600361CAFA6A7FA9516FB7709577691059AA0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327920038825769
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	4D4DD99A08F8B87AA8A92C659B24908D
SHA1:	137EF5D38325FEFAD4BE8A4B5C7CA5525156F0C6
SHA-256:	D21BD8B1009894EC2FB131014111300F7F799F417B5A20DD1AC30AB316C66C4D
SHA-512:	EC40C73A2EFDAF0522017071B7E18D80F1A54AC4DE7361B2AA29CC5FFB07804A117D29F324D181216C027701295F0CA339A26E47AE9EBDFD7F3142DBF5EA61F3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035409731588080785
Encrypted:	false
SSDEEP:	3:GtlstFTpZHHbCUZfp9lstFTpZHHbCUZfpCllT89//alEl:GtWtdHHvB9WtdHHvBmJ89XuM
MD5:	BBC36D0FDDD04FB2AFA07A940014E9F5
SHA1:	0649A03FBA16C6D6FBEEC0C09F15057C9ACC04D9
SHA-256:	A2F4053C0E7527AA08D09FD55DD0A160A49C675CE780C4F432C8ED6FB4349E8A
SHA-512:	0D6794C551EBF12E95661EA35F2367E568979772805F9DE285C4B21B9ABF02B17BF4230DCB492E53EFEB677FFEFEC3FEFEFBA31F042B061857F8458885C6B1B8
Malicious:	false
Preview:	..-.....................D...b>...^...p0.,.....\|...-.....................D...b>...^...p0.,.....\|.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03972635465203797
Encrypted:	false
SSDEEP:	3:Ol1y6mOay398VJ5h4HH4a7l8rEXsxdwhml8XW3R2:K4DON4/3wl8dMhm93w
MD5:	78DE8129B797E450B0EAD77EA27028A4
SHA1:	75469A7CD37AA989A6E6F1862FFFF2E209999439
SHA-256:	D424AE6530A47F69F3123C03D4090CDDF3B9CD666C4924E60AE61BF2FEBE90E9
SHA-512:	033F72B4E4AA9364E579A7D07D2F91B1923292A77553634A54D22244929F57CE6CFED39E2FAB435AC5C2311A26811C7F67335DA7D287CB0FC200B9AFE802129E
Malicious:	false
Preview:	7....-...........^...p0..Xa+...........^...p0....D..>b................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477302969364444
Encrypted:	false
SSDEEP:	192:bnPOeRnLYbBp6tJ0aX+r6SEXK3WNKZE5RHWNBw8diSl:bDecJU+qSHHEwh0
MD5:	F261E116F411D1C5BBEA5D29045BC494
SHA1:	9468A122C4C7BF6FAED3E70C17BCBCAE4A212415
SHA-256:	BCA714846CD1EAD53491F3698348EDCF92671C7A113F92AB562472B9ED20705D
SHA-512:	8BAB156C4DADC0E0407E0302F233B9D4975A5CF2ABE904F58DC979A1CF1BDC8408ED02A0BB6F9859EFA686D0409D3C3CA03566F205F5E5F66A4BEAD07DF1F17A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728898959);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728898959);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728898959);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172889

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477302969364444
Encrypted:	false
SSDEEP:	192:bnPOeRnLYbBp6tJ0aX+r6SEXK3WNKZE5RHWNBw8diSl:bDecJU+qSHHEwh0
MD5:	F261E116F411D1C5BBEA5D29045BC494
SHA1:	9468A122C4C7BF6FAED3E70C17BCBCAE4A212415
SHA-256:	BCA714846CD1EAD53491F3698348EDCF92671C7A113F92AB562472B9ED20705D
SHA-512:	8BAB156C4DADC0E0407E0302F233B9D4975A5CF2ABE904F58DC979A1CF1BDC8408ED02A0BB6F9859EFA686D0409D3C3CA03566F205F5E5F66A4BEAD07DF1F17A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728898959);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728898959);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728898959);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172889

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\d5ffe540-1bf5-492a-8225-7292b2756c0a (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.959776197708785
Encrypted:	false
SSDEEP:	12:YZFgpzyMIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YEvSlCOlZGV1AQIWZcy6ZXvx
MD5:	D8705EFB498E8C13878ACFFDAB4C82DB
SHA1:	7888123C7E4286C8003714E1358F1B6FA4FAB774
SHA-256:	63B6D3581B4581CF2E4C79C83C31927D38B14E45F29E3A6BB3DB9C8F6238A280
SHA-512:	A9555C98A79035EDC3ADA91B349C40F98DBC94EBC5317CEC3D6C18AE4DEC6882D02A95273D55C2DF084AA6FA0BE37B9253140FC5D9A6BF3D7126AC6F5828AE00
Malicious:	false
Preview:	{"type":"health","id":"d5ffe540-1bf5-492a-8225-7292b2756c0a","creationDate":"2024-10-14T09:43:10.482Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\d5ffe540-1bf5-492a-8225-7292b2756c0a.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.959776197708785
Encrypted:	false
SSDEEP:	12:YZFgpzyMIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YEvSlCOlZGV1AQIWZcy6ZXvx
MD5:	D8705EFB498E8C13878ACFFDAB4C82DB
SHA1:	7888123C7E4286C8003714E1358F1B6FA4FAB774
SHA-256:	63B6D3581B4581CF2E4C79C83C31927D38B14E45F29E3A6BB3DB9C8F6238A280
SHA-512:	A9555C98A79035EDC3ADA91B349C40F98DBC94EBC5317CEC3D6C18AE4DEC6882D02A95273D55C2DF084AA6FA0BE37B9253140FC5D9A6BF3D7126AC6F5828AE00
Malicious:	false
Preview:	{"type":"health","id":"d5ffe540-1bf5-492a-8225-7292b2756c0a","creationDate":"2024-10-14T09:43:10.482Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.345182572706239
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSuKS6LXnIrJOtf/pnxQwRcWT5sKmgb0H3eHVpjO+tamhujJkO2c0TI:GUpOxTUhtZnRcoeg23erjxt4Jkc3zBtT
MD5:	70041AC4E43FF5ADDBDC7BE39BB5BFBE
SHA1:	9432CE96BE891356B3A5CEE3E530FBF32658427B
SHA-256:	DC9BCF9C210CE183AF3132A9E4F1098F24EC428CB77DB5DFEAB1842F0753710B
SHA-512:	62965F14F10C9E01428436FFE86101DE564C7E34F19D1D616B31AF0336AF269AB82DBCECB1323B40A51717AECA51CAC894640F33DB9481BFC90CBF0B54874FAA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d03565ca-d184-4585-9f1e-38116a38e82a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728898963893,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P29372...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...37722,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.345182572706239
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSuKS6LXnIrJOtf/pnxQwRcWT5sKmgb0H3eHVpjO+tamhujJkO2c0TI:GUpOxTUhtZnRcoeg23erjxt4Jkc3zBtT
MD5:	70041AC4E43FF5ADDBDC7BE39BB5BFBE
SHA1:	9432CE96BE891356B3A5CEE3E530FBF32658427B
SHA-256:	DC9BCF9C210CE183AF3132A9E4F1098F24EC428CB77DB5DFEAB1842F0753710B
SHA-512:	62965F14F10C9E01428436FFE86101DE564C7E34F19D1D616B31AF0336AF269AB82DBCECB1323B40A51717AECA51CAC894640F33DB9481BFC90CBF0B54874FAA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d03565ca-d184-4585-9f1e-38116a38e82a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728898963893,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P29372...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...37722,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.345182572706239
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSuKS6LXnIrJOtf/pnxQwRcWT5sKmgb0H3eHVpjO+tamhujJkO2c0TI:GUpOxTUhtZnRcoeg23erjxt4Jkc3zBtT
MD5:	70041AC4E43FF5ADDBDC7BE39BB5BFBE
SHA1:	9432CE96BE891356B3A5CEE3E530FBF32658427B
SHA-256:	DC9BCF9C210CE183AF3132A9E4F1098F24EC428CB77DB5DFEAB1842F0753710B
SHA-512:	62965F14F10C9E01428436FFE86101DE564C7E34F19D1D616B31AF0336AF269AB82DBCECB1323B40A51717AECA51CAC894640F33DB9481BFC90CBF0B54874FAA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d03565ca-d184-4585-9f1e-38116a38e82a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728898963893,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P29372...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...37722,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028732286695657
Encrypted:	false
SSDEEP:	96:ycjMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:CTEr5NX0z3DhRe
MD5:	7809A6A42C10059A7B727E7E0FB3AA59
SHA1:	033103778EF2D5C937863E67F8944D015D35D747
SHA-256:	8A6DDFC7FDE23339E0B64FA971A44B6A20533A2D6D5280476FB95A92EAA6497C
SHA-512:	63B23152948741FF325F52DEE025886DD84994E07CEC478F4C40DE45DE8653E12BDFE3233AD63ECEF7C0BA605F9C421CDC48A9F7C850BAD2469D459BA2AC0779
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T09:42:23.820Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028732286695657
Encrypted:	false
SSDEEP:	96:ycjMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:CTEr5NX0z3DhRe
MD5:	7809A6A42C10059A7B727E7E0FB3AA59
SHA1:	033103778EF2D5C937863E67F8944D015D35D747
SHA-256:	8A6DDFC7FDE23339E0B64FA971A44B6A20533A2D6D5280476FB95A92EAA6497C
SHA-512:	63B23152948741FF325F52DEE025886DD84994E07CEC478F4C40DE45DE8653E12BDFE3233AD63ECEF7C0BA605F9C421CDC48A9F7C850BAD2469D459BA2AC0779
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T09:42:23.820Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584675270576623
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	e6629643e8305d91ff0457edb686f35c
SHA1:	24977a57a4130edd8e82dfaa6de8f6cf2a2a9625
SHA256:	fc83d3aec4b43b001f402b2e0717e75a612aa63d584c4fa6440262fba22c5353
SHA512:	02f7139d28d39f5f5b254377bd35c9285018bc595e9cb4b975fdc76b7ad42f34a47216fbd644d45a1c715a7f38e13ccf65b43952b49b00c6e58d6fc51f18831b
SSDEEP:	12288:vqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TT:vqDEvCTbMWu7rQYlBQcBiT6rprG8abT
TLSH:	B6159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670CC918 [Mon Oct 14 07:32:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2CECC71B83h
jmp 00007F2CECC7148Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2CECC7166Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2CECC7163Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2CECC7422Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2CECC74278h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2CECC74261h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	50e6d6b42841460fe57e5e51bb360ff3	False	0.31561511075949367	data	5.37435849312658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:46:21.507783890 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:21.507857084 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:21.517698050 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:21.531461000 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:21.531500101 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:22.028295994 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:22.028312922 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:22.028419018 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:22.037460089 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:22.037460089 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:22.037484884 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:22.038388014 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:22.038944006 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:22.230268955 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:22.235192060 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:22.235382080 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:22.236306906 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:22.241086960 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:22.710581064 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:22.835983038 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:23.099972010 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.100034952 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.100243092 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.101854086 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.101885080 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.542644024 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:23.547548056 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:23.551630020 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:23.553021908 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:23.557923079 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:23.560889006 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.560949087 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.564898968 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:23.564953089 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:23.565572023 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.565732002 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:23.567037106 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.567070007 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.567199945 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:23.567224026 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:23.569233894 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:23.569284916 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:23.570342064 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:23.570483923 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:23.570498943 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:23.574970007 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.575083017 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.581398964 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.581432104 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.581531048 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.581598997 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.581903934 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.581933022 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.581968069 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.582143068 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.583512068 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:23.583520889 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:23.787070036 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:23.791937113 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:23.887465000 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.024360895 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.035134077 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.051434994 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.054645061 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.058125019 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.058254004 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.061402082 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:24.063838959 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.063862085 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.064311981 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.064855099 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.064866066 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.064977884 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.065107107 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.065546989 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:24.066009045 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.068330050 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:24.068361044 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:24.068672895 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:24.070200920 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.070456028 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.070467949 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.070485115 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.071007013 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.071048975 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.071450949 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.071455002 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.071595907 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.071613073 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.071778059 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:24.071846008 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:24.071962118 CEST	443	49720	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:24.072051048 CEST	49720	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:24.086976051 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.087060928 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.092592955 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.092602015 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.092729092 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.092890024 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.093028069 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.124634981 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.546711922 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.547487020 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.586076021 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.586100101 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.586345911 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.588587046 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.588706970 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.588771105 CEST	443	49723	34.160.144.191	192.168.2.5
Oct 14, 2024 09:46:24.589129925 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.589391947 CEST	49723	443	192.168.2.5	34.160.144.191
Oct 14, 2024 09:46:24.592951059 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.592987061 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.598001957 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.598043919 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.598058939 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.600258112 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.600286961 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.602797985 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.606287956 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.606312037 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.606368065 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.606369019 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.607878923 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:24.607896090 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:24.608015060 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:24.612793922 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:24.998826981 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.003671885 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:25.008618116 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.009012938 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.013820887 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:25.061456919 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:25.087171078 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.097788095 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.102756977 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.102763891 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.102900982 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.102972984 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.103277922 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.103329897 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.117873907 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.117924929 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.117980003 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.119520903 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.119559050 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.484448910 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:25.542100906 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.600646973 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.600656986 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.600740910 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.605854034 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.605870962 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.605954885 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.606056929 CEST	443	49737	34.117.188.166	192.168.2.5
Oct 14, 2024 09:46:25.606180906 CEST	49737	443	192.168.2.5	34.117.188.166
Oct 14, 2024 09:46:25.980812073 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.981296062 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:25.985799074 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:25.986551046 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:26.085407972 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:26.085679054 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:26.136282921 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:26.136308908 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:28.661885023 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:28.686660051 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:28.778692961 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:28.828547955 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:28.990638018 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:28.990674019 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:28.991450071 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:28.995631933 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:28.995649099 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.024597883 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.024652004 CEST	443	49760	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:29.026518106 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.027924061 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.027941942 CEST	443	49760	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:29.038968086 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.038997889 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:29.042634964 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.043818951 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.043828964 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:29.047003031 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.047024965 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.051338911 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.051457882 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.051471949 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.513346910 CEST	443	49760	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:29.513474941 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.514785051 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.516335964 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.532609940 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.532937050 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:29.538275957 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.538397074 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.589422941 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.589442015 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.589766979 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.600090027 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.600120068 CEST	443	49760	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:29.600462914 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.600481033 CEST	443	49760	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:29.607058048 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.607074022 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.607374907 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.607577085 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.608230114 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.608239889 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:29.608331919 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.608505011 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:29.611968040 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.612041950 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.612123013 CEST	443	49766	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:29.619369030 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.619740009 CEST	49760	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:29.619775057 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.619787931 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:29.619798899 CEST	49766	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:29.683087111 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:29.687855005 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:29.700063944 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.700123072 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.701522112 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.701888084 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.701911926 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.702912092 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.702935934 CEST	443	49769	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.703572035 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.705874920 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.705888987 CEST	443	49769	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.712469101 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.712481976 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.713671923 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.713869095 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:29.713879108 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:29.784754038 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:29.826817036 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:30.192606926 CEST	443	49769	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.192837000 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.197588921 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.197747946 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.209233046 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.209315062 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.211921930 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.211935043 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.212584972 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.228617907 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.228656054 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.229515076 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.271450043 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.271783113 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.317389011 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.317408085 CEST	443	49769	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.317468882 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.317864895 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.317967892 CEST	443	49769	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.318109035 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.318391085 CEST	49769	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.318531036 CEST	443	49770	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.318644047 CEST	49770	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.778940916 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.779057026 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:30.779529095 CEST	443	49768	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:30.779875040 CEST	49768	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:34.094044924 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:34.101800919 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:34.193697929 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:34.241611004 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:34.831989050 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:34.833726883 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:34.833750963 CEST	443	49808	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:34.836992979 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:34.837996006 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:34.839001894 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:34.839010954 CEST	443	49808	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:34.932488918 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:34.981432915 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:35.087575912 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.087611914 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:35.089755058 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.090939999 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.090950012 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:35.320341110 CEST	443	49808	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:35.320509911 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:35.324193954 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:35.324193954 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:35.324204922 CEST	443	49808	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:35.324632883 CEST	443	49808	34.120.208.123	192.168.2.5
Oct 14, 2024 09:46:35.324731112 CEST	49808	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:46:35.565213919 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:35.565324068 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.569432020 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.569439888 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:35.569570065 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:35.569597006 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:35.569814920 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:36.158093929 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:36.162950993 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:36.254631996 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:36.306811094 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:37.620299101 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:37.625217915 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:37.721250057 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:37.779948950 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:37.912231922 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:37.917146921 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:38.009071112 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:38.058666945 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:44.852122068 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:44.857121944 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:44.952833891 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:44.957391977 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:44.962276936 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:45.001178980 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:45.054090023 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:45.101521969 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:47.724603891 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:47.724647999 CEST	443	49891	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:47.724822044 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:47.726191998 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:47.726207972 CEST	443	49891	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:48.225963116 CEST	443	49891	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:48.226044893 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:48.230205059 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:48.230227947 CEST	443	49891	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:48.230307102 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:48.230401993 CEST	443	49891	34.107.243.93	192.168.2.5
Oct 14, 2024 09:46:48.231209993 CEST	49891	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:46:48.233685017 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:48.238514900 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:48.333806038 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:48.355721951 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:48.360586882 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:48.392760038 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:48.452827930 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:48.493046045 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:50.350431919 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.350456953 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.350990057 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.351150990 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.351162910 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.376564026 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.376605034 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.383517981 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.383680105 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.383703947 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.384890079 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:50.384937048 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:50.386749029 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.386779070 CEST	443	49915	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:50.391093016 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:50.391113997 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.391222000 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:50.391242981 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:50.392662048 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.392676115 CEST	443	49915	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:50.401518106 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.401557922 CEST	443	49916	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.402376890 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.404464960 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.404483080 CEST	443	49916	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.823935986 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.824031115 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.826936960 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.826946020 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.828263044 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.830007076 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.830029964 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.830213070 CEST	443	49912	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:50.830471039 CEST	49912	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:50.834994078 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:50.839864969 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:50.855665922 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.855679989 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.855760098 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.858643055 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.858669043 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.858911037 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.861362934 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.861485004 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.861509085 CEST	443	49913	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:50.861718893 CEST	49913	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:50.867333889 CEST	443	49915	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:50.867429018 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.872721910 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.872729063 CEST	443	49915	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:50.872795105 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.872888088 CEST	443	49915	35.190.72.216	192.168.2.5
Oct 14, 2024 09:46:50.873466969 CEST	49915	443	192.168.2.5	35.190.72.216
Oct 14, 2024 09:46:50.905303001 CEST	443	49916	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.905381918 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.910496950 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.910518885 CEST	443	49916	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.910665989 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.910718918 CEST	443	49916	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.911091089 CEST	49916	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.911381006 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.911417007 CEST	443	49917	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.911521912 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.912899017 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:50.912913084 CEST	443	49917	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:50.935414076 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:50.938970089 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:50.943886042 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:50.980118036 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.035722017 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.080446959 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.143981934 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:51.144072056 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:51.148152113 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:51.148180962 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:51.148447037 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:51.151875019 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:51.152129889 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:51.152477980 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:51.152503967 CEST	443	49914	52.222.236.120	192.168.2.5
Oct 14, 2024 09:46:51.158251047 CEST	49914	443	192.168.2.5	52.222.236.120
Oct 14, 2024 09:46:51.163393974 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.163444042 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.164035082 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.164035082 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.164068937 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.166412115 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.166477919 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.166766882 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.166929007 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.166946888 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.169568062 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.169600010 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.169866085 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.169989109 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.170002937 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.171413898 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.176393986 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.271744013 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.275579929 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.280459881 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.312313080 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.372236967 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.387094021 CEST	443	49917	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:51.387255907 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:51.392395020 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:51.392404079 CEST	443	49917	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:51.392421961 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:51.392602921 CEST	443	49917	35.201.103.21	192.168.2.5
Oct 14, 2024 09:46:51.393989086 CEST	49917	443	192.168.2.5	35.201.103.21
Oct 14, 2024 09:46:51.395807028 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.400697947 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.407335043 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.407375097 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.407511950 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.407605886 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.407613993 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.412627935 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.496011019 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.499222040 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.504034996 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.550719976 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.595659018 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.635395050 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.638879061 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.638962030 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.641618967 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.641632080 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.641885042 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.644692898 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.644792080 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.644854069 CEST	443	49924	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.649405956 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.650372028 CEST	49924	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.653135061 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.653203964 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.654200077 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.654402018 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.656897068 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.656908035 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.657114983 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.657157898 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.660372019 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.660388947 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.660650015 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.663909912 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.664020061 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.664084911 CEST	443	49925	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.664391994 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.664459944 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.664562941 CEST	443	49923	35.244.181.201	192.168.2.5
Oct 14, 2024 09:46:51.664818048 CEST	49925	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.664827108 CEST	49923	443	192.168.2.5	35.244.181.201
Oct 14, 2024 09:46:51.750097036 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.753542900 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.758403063 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.798194885 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.850506067 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:51.889075994 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.889290094 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.893229961 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.893237114 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.893789053 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.896213055 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.896445990 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.896456957 CEST	443	49926	34.149.100.209	192.168.2.5
Oct 14, 2024 09:46:51.896567106 CEST	49926	443	192.168.2.5	34.149.100.209
Oct 14, 2024 09:46:51.898483038 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.899619102 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:51.904468060 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:52.000070095 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:52.003190041 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:52.008555889 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:52.052228928 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:46:52.100279093 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:46:52.152546883 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:02.012303114 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:02.017174006 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:02.112587929 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:02.117520094 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:08.251755953 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.251873016 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:08.252357006 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.253704071 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.253742933 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:08.747678995 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:08.747806072 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.753073931 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.753088951 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:08.753199100 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.753284931 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:08.753849983 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:08.756297112 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:08.761218071 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:08.857124090 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:08.860359907 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:08.865314960 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:08.900918961 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:08.957189083 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:09.001185894 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:18.861438036 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:18.866857052 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:18.961733103 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:18.967025042 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:20.794013023 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.794070005 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:20.794420958 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.794593096 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.794609070 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:20.797404051 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.797447920 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:20.798151016 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.798372984 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:20.798386097 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.481296062 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.481298923 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.482095003 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.482105017 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.486490011 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.486502886 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.486819983 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.489692926 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.489717007 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.490076065 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.493590117 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.493735075 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.493859053 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.493953943 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.494023085 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.494175911 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.494507074 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.494523048 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.500392914 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:21.503294945 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.503343105 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.503726006 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.503863096 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.503879070 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.505290031 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:21.514528036 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.514554024 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.515985966 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.516122103 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.516135931 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.517566919 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.517606020 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.518102884 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.518204927 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.518218040 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.600856066 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:21.605789900 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:21.610595942 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:21.655204058 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:21.702719927 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:21.757668018 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:21.990391970 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.990528107 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.995382071 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:21.995395899 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.995639086 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.997225046 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:21.997325897 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.000492096 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.000502110 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.001279116 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.001297951 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.001422882 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.001450062 CEST	443	50027	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.003187895 CEST	50027	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.004484892 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.004592896 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.004915953 CEST	443	50028	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.005175114 CEST	50028	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.006618023 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:22.008949995 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.009078979 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.011487961 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:22.012711048 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.012722969 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.013498068 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.015230894 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.015337944 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.015409946 CEST	443	50026	34.120.208.123	192.168.2.5
Oct 14, 2024 09:47:22.015501022 CEST	50026	443	192.168.2.5	34.120.208.123
Oct 14, 2024 09:47:22.106874943 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:22.110618114 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:22.115530968 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:22.160837889 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:22.207488060 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:22.261054039 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:32.120625019 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:32.125727892 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:32.220916033 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:32.225941896 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:42.133534908 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:42.138732910 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:42.234107971 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:42.239408970 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:48.779330969 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:48.779386997 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:48.779505014 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:48.780977011 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:48.780996084 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:49.268430948 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:49.268867016 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:49.273443937 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:49.273463011 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:49.273530006 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:49.273758888 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 14, 2024 09:47:49.274036884 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 14, 2024 09:47:49.276483059 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:49.281898975 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:49.377527952 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:49.380641937 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:49.386533022 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:49.423861027 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:49.478605032 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:49.523897886 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:59.389086962 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:59.394195080 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:47:59.489427090 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:47:59.494287968 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:48:09.402018070 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:48:09.407037973 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:48:09.502295017 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:48:09.507276058 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 14, 2024 09:48:19.419658899 CEST	49731	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:48:19.424575090 CEST	80	49731	34.107.221.82	192.168.2.5
Oct 14, 2024 09:48:19.511449099 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 14, 2024 09:48:19.516459942 CEST	80	49729	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:46:21.507791996 CEST	55868	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:21.515213966 CEST	53	55868	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:21.529371977 CEST	54140	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:21.536112070 CEST	53	54140	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:22.176038980 CEST	62141	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.176038980 CEST	51984	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.183095932 CEST	53	62141	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:22.192318916 CEST	50679	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.199407101 CEST	53	50679	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:22.235176086 CEST	61689	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.236356020 CEST	62387	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.242230892 CEST	53	61689	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:22.243123055 CEST	64829	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:22.243499041 CEST	53	62387	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:22.250202894 CEST	53	64829	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.063885927 CEST	65012	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.064198971 CEST	64792	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.070802927 CEST	53	65012	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.070888042 CEST	53	64792	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.091196060 CEST	64283	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.098053932 CEST	53	64283	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.100100040 CEST	59951	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.107718945 CEST	53	59951	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.109006882 CEST	64957	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.116503954 CEST	53	64957	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.526269913 CEST	56592	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.531409979 CEST	61770	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.538317919 CEST	53	61770	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.553787947 CEST	50094	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.560589075 CEST	53	50094	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.561477900 CEST	54653	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.565296888 CEST	58626	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.568887949 CEST	53	54653	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.569839954 CEST	55993	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.572985888 CEST	53	58626	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.573062897 CEST	49663	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.573999882 CEST	62833	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.579623938 CEST	53	49663	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.580563068 CEST	53	62833	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.586378098 CEST	53	55993	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:23.587105036 CEST	49635	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:23.594131947 CEST	53	49635	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.652595997 CEST	62847	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.688429117 CEST	53	62847	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.689449072 CEST	59488	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.696443081 CEST	53	59488	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.697041035 CEST	53051	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.704554081 CEST	53	53051	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.741439104 CEST	58545	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.777297020 CEST	53	61165	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.975374937 CEST	50421	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.982666969 CEST	53	50421	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.988486052 CEST	53873	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.989029884 CEST	59086	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.991374016 CEST	54528	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:28.995320082 CEST	53	53873	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.995990992 CEST	53	59086	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:28.998075008 CEST	53	54528	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:29.014861107 CEST	56211	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:29.021589041 CEST	53	56211	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:29.026243925 CEST	51277	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:29.030538082 CEST	58568	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:29.033070087 CEST	53	51277	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:29.037751913 CEST	53	58568	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:29.042237997 CEST	51313	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:29.044456005 CEST	60931	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:29.049140930 CEST	53	51313	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:29.051378965 CEST	53	60931	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:34.840030909 CEST	61457	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:34.846987009 CEST	53	61457	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:34.978682995 CEST	59982	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:34.985402107 CEST	53	59982	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.616873980 CEST	55050	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.617616892 CEST	54196	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.618136883 CEST	50215	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.623836994 CEST	53	55050	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.624473095 CEST	53	54196	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.628256083 CEST	64034	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.628256083 CEST	53779	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.631563902 CEST	53	50215	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.635168076 CEST	53	53779	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.635987997 CEST	64389	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.636007071 CEST	54215	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.636390924 CEST	53	64034	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.636876106 CEST	58134	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.642752886 CEST	53	64389	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.643701077 CEST	51325	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.644537926 CEST	53	54215	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.645104885 CEST	52900	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.646836042 CEST	53	58134	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.647530079 CEST	49290	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.650979042 CEST	53	51325	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.651729107 CEST	56710	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.652446032 CEST	53	52900	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.654319048 CEST	53	49290	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.654937029 CEST	59633	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.659575939 CEST	53	56710	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.660391092 CEST	57100	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.661632061 CEST	53	59633	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.662101030 CEST	57258	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:37.667893887 CEST	53	57100	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:37.668807983 CEST	53	57258	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:47.716716051 CEST	60689	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:47.723458052 CEST	53	60689	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:47.724071980 CEST	50016	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:47.730720043 CEST	53	50016	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.350482941 CEST	64793	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.357409000 CEST	53	64793	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.374319077 CEST	60495	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.375483990 CEST	51941	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.381424904 CEST	53	60495	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.382760048 CEST	53	51941	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.385763884 CEST	57402	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.387679100 CEST	51184	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.394136906 CEST	53	57402	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.395242929 CEST	53	51184	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.400285006 CEST	57520	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.400929928 CEST	60158	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.407342911 CEST	53	57520	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.407569885 CEST	53	60158	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.409693003 CEST	52958	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.415998936 CEST	53078	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.417267084 CEST	53	52958	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.423281908 CEST	53	53078	1.1.1.1	192.168.2.5
Oct 14, 2024 09:46:50.436223030 CEST	60847	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:46:50.444161892 CEST	53	60847	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:08.250998020 CEST	52913	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:08.258044958 CEST	53	52913	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:08.259316921 CEST	59996	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:08.266047001 CEST	53	59996	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:20.806406021 CEST	61638	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:20.813344955 CEST	53	61638	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:21.500044107 CEST	57922	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:48.771409035 CEST	64844	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:48.778414965 CEST	53	64844	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:48.779442072 CEST	55055	53	192.168.2.5	1.1.1.1
Oct 14, 2024 09:47:48.787817955 CEST	53	55055	1.1.1.1	192.168.2.5
Oct 14, 2024 09:47:49.276710987 CEST	59214	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 09:46:21.507791996 CEST	192.168.2.5	1.1.1.1	0xe2bf	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:21.529371977 CEST	192.168.2.5	1.1.1.1	0x6830	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:22.176038980 CEST	192.168.2.5	1.1.1.1	0x7fee	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.176038980 CEST	192.168.2.5	1.1.1.1	0x6f1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.192318916 CEST	192.168.2.5	1.1.1.1	0xb686	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.235176086 CEST	192.168.2.5	1.1.1.1	0xafeb	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.236356020 CEST	192.168.2.5	1.1.1.1	0xd510	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:22.243123055 CEST	192.168.2.5	1.1.1.1	0xd264	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:23.063885927 CEST	192.168.2.5	1.1.1.1	0x88bd	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.064198971 CEST	192.168.2.5	1.1.1.1	0x1bf8	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.091196060 CEST	192.168.2.5	1.1.1.1	0x351e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.100100040 CEST	192.168.2.5	1.1.1.1	0x689a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.109006882 CEST	192.168.2.5	1.1.1.1	0xecc9	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:23.526269913 CEST	192.168.2.5	1.1.1.1	0xab4f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.531409979 CEST	192.168.2.5	1.1.1.1	0x302c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.553787947 CEST	192.168.2.5	1.1.1.1	0x28d5	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.561477900 CEST	192.168.2.5	1.1.1.1	0x79d3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.565296888 CEST	192.168.2.5	1.1.1.1	0xe58b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.569839954 CEST	192.168.2.5	1.1.1.1	0x4807	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.573062897 CEST	192.168.2.5	1.1.1.1	0x1e83	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:23.573999882 CEST	192.168.2.5	1.1.1.1	0xeb3f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:23.587105036 CEST	192.168.2.5	1.1.1.1	0x77e8	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:28.652595997 CEST	192.168.2.5	1.1.1.1	0xf0b3	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.689449072 CEST	192.168.2.5	1.1.1.1	0x916e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.697041035 CEST	192.168.2.5	1.1.1.1	0x9c9c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:28.741439104 CEST	192.168.2.5	1.1.1.1	0xfcf4	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.975374937 CEST	192.168.2.5	1.1.1.1	0x94a3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.988486052 CEST	192.168.2.5	1.1.1.1	0x6fe4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.989029884 CEST	192.168.2.5	1.1.1.1	0xc7fc	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.991374016 CEST	192.168.2.5	1.1.1.1	0xd772	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:29.014861107 CEST	192.168.2.5	1.1.1.1	0x6b44	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:29.026243925 CEST	192.168.2.5	1.1.1.1	0x3345	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:29.030538082 CEST	192.168.2.5	1.1.1.1	0x6b3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:29.042237997 CEST	192.168.2.5	1.1.1.1	0x17d0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:29.044456005 CEST	192.168.2.5	1.1.1.1	0x7181	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:34.840030909 CEST	192.168.2.5	1.1.1.1	0x35b6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:34.978682995 CEST	192.168.2.5	1.1.1.1	0x5d70	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:37.616873980 CEST	192.168.2.5	1.1.1.1	0x9588	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.617616892 CEST	192.168.2.5	1.1.1.1	0x2626	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.618136883 CEST	192.168.2.5	1.1.1.1	0xa3cc	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.628256083 CEST	192.168.2.5	1.1.1.1	0x8440	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.628256083 CEST	192.168.2.5	1.1.1.1	0xd5a5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635987997 CEST	192.168.2.5	1.1.1.1	0x7f70	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:37.636007071 CEST	192.168.2.5	1.1.1.1	0xbd0d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.636876106 CEST	192.168.2.5	1.1.1.1	0x33e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:37.643701077 CEST	192.168.2.5	1.1.1.1	0xb5da	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.645104885 CEST	192.168.2.5	1.1.1.1	0x62ec	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 09:46:37.647530079 CEST	192.168.2.5	1.1.1.1	0xd1ad	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.651729107 CEST	192.168.2.5	1.1.1.1	0x1794	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.654937029 CEST	192.168.2.5	1.1.1.1	0xcd20	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.660391092 CEST	192.168.2.5	1.1.1.1	0xd029	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:37.662101030 CEST	192.168.2.5	1.1.1.1	0x9efd	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:47.716716051 CEST	192.168.2.5	1.1.1.1	0x9d3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:47.724071980 CEST	192.168.2.5	1.1.1.1	0x965e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:46:50.350482941 CEST	192.168.2.5	1.1.1.1	0x5577	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.374319077 CEST	192.168.2.5	1.1.1.1	0x237a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:50.375483990 CEST	192.168.2.5	1.1.1.1	0x9595	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.385763884 CEST	192.168.2.5	1.1.1.1	0xa61e	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.387679100 CEST	192.168.2.5	1.1.1.1	0xa81a	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.400285006 CEST	192.168.2.5	1.1.1.1	0x4072	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 09:46:50.400929928 CEST	192.168.2.5	1.1.1.1	0xe7e9	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.409693003 CEST	192.168.2.5	1.1.1.1	0xb937	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.415998936 CEST	192.168.2.5	1.1.1.1	0x7a84	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 09:46:50.436223030 CEST	192.168.2.5	1.1.1.1	0x1e34	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:47:08.250998020 CEST	192.168.2.5	1.1.1.1	0x9e26	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:08.259316921 CEST	192.168.2.5	1.1.1.1	0xcac6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:47:20.806406021 CEST	192.168.2.5	1.1.1.1	0x4292	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:47:21.500044107 CEST	192.168.2.5	1.1.1.1	0x53a0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:48.771409035 CEST	192.168.2.5	1.1.1.1	0x84e8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:48.779442072 CEST	192.168.2.5	1.1.1.1	0xe9c8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 09:47:49.276710987 CEST	192.168.2.5	1.1.1.1	0x9f9d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 09:46:21.470679045 CEST	1.1.1.1	192.168.2.5	0x7be5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:21.515213966 CEST	1.1.1.1	192.168.2.5	0xe2bf	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.183095932 CEST	1.1.1.1	192.168.2.5	0x7fee	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.195569038 CEST	1.1.1.1	192.168.2.5	0x6f1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:22.195569038 CEST	1.1.1.1	192.168.2.5	0x6f1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.199407101 CEST	1.1.1.1	192.168.2.5	0xb686	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.242230892 CEST	1.1.1.1	192.168.2.5	0xafeb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:22.243499041 CEST	1.1.1.1	192.168.2.5	0xd510	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:22.250202894 CEST	1.1.1.1	192.168.2.5	0xd264	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 09:46:23.070802927 CEST	1.1.1.1	192.168.2.5	0x88bd	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.070888042 CEST	1.1.1.1	192.168.2.5	0x1bf8	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.070888042 CEST	1.1.1.1	192.168.2.5	0x1bf8	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.098053932 CEST	1.1.1.1	192.168.2.5	0x351e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.107718945 CEST	1.1.1.1	192.168.2.5	0x689a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.533262968 CEST	1.1.1.1	192.168.2.5	0xab4f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:23.533262968 CEST	1.1.1.1	192.168.2.5	0xab4f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.538317919 CEST	1.1.1.1	192.168.2.5	0x302c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:23.538317919 CEST	1.1.1.1	192.168.2.5	0x302c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.539944887 CEST	1.1.1.1	192.168.2.5	0x8357	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:23.539944887 CEST	1.1.1.1	192.168.2.5	0x8357	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.560589075 CEST	1.1.1.1	192.168.2.5	0x28d5	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:23.560589075 CEST	1.1.1.1	192.168.2.5	0x28d5	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:23.560589075 CEST	1.1.1.1	192.168.2.5	0x28d5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.568887949 CEST	1.1.1.1	192.168.2.5	0x79d3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.572985888 CEST	1.1.1.1	192.168.2.5	0xe58b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.586378098 CEST	1.1.1.1	192.168.2.5	0x4807	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:23.594131947 CEST	1.1.1.1	192.168.2.5	0x77e8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 09:46:28.688429117 CEST	1.1.1.1	192.168.2.5	0xf0b3	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:28.688429117 CEST	1.1.1.1	192.168.2.5	0xf0b3	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:28.688429117 CEST	1.1.1.1	192.168.2.5	0xf0b3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.696443081 CEST	1.1.1.1	192.168.2.5	0x916e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.748766899 CEST	1.1.1.1	192.168.2.5	0xfcf4	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:28.982666969 CEST	1.1.1.1	192.168.2.5	0x94a3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.986151934 CEST	1.1.1.1	192.168.2.5	0x563a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.995320082 CEST	1.1.1.1	192.168.2.5	0x6fe4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.995990992 CEST	1.1.1.1	192.168.2.5	0xc7fc	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:28.995990992 CEST	1.1.1.1	192.168.2.5	0xc7fc	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:28.998075008 CEST	1.1.1.1	192.168.2.5	0xd772	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:29.033070087 CEST	1.1.1.1	192.168.2.5	0x3345	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:29.046082973 CEST	1.1.1.1	192.168.2.5	0x9d29	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:29.046082973 CEST	1.1.1.1	192.168.2.5	0x9d29	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:29.700936079 CEST	1.1.1.1	192.168.2.5	0xca69	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.623836994 CEST	1.1.1.1	192.168.2.5	0x9588	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.624473095 CEST	1.1.1.1	192.168.2.5	0x2626	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:37.624473095 CEST	1.1.1.1	192.168.2.5	0x2626	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.631563902 CEST	1.1.1.1	192.168.2.5	0xa3cc	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:37.631563902 CEST	1.1.1.1	192.168.2.5	0xa3cc	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.635168076 CEST	1.1.1.1	192.168.2.5	0xd5a5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.636390924 CEST	1.1.1.1	192.168.2.5	0x8440	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.642752886 CEST	1.1.1.1	192.168.2.5	0x7f70	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.642752886 CEST	1.1.1.1	192.168.2.5	0x7f70	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.642752886 CEST	1.1.1.1	192.168.2.5	0x7f70	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.642752886 CEST	1.1.1.1	192.168.2.5	0x7f70	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.644537926 CEST	1.1.1.1	192.168.2.5	0xbd0d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.646836042 CEST	1.1.1.1	192.168.2.5	0x33e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.650979042 CEST	1.1.1.1	192.168.2.5	0xb5da	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:37.650979042 CEST	1.1.1.1	192.168.2.5	0xb5da	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.650979042 CEST	1.1.1.1	192.168.2.5	0xb5da	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.650979042 CEST	1.1.1.1	192.168.2.5	0xb5da	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.650979042 CEST	1.1.1.1	192.168.2.5	0xb5da	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.652446032 CEST	1.1.1.1	192.168.2.5	0x62ec	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 09:46:37.654319048 CEST	1.1.1.1	192.168.2.5	0xd1ad	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.659575939 CEST	1.1.1.1	192.168.2.5	0x1794	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.659575939 CEST	1.1.1.1	192.168.2.5	0x1794	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.659575939 CEST	1.1.1.1	192.168.2.5	0x1794	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.659575939 CEST	1.1.1.1	192.168.2.5	0x1794	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:37.661632061 CEST	1.1.1.1	192.168.2.5	0xcd20	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:47.723458052 CEST	1.1.1.1	192.168.2.5	0x9d3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.357409000 CEST	1.1.1.1	192.168.2.5	0x5577	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.382760048 CEST	1.1.1.1	192.168.2.5	0x9595	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.382760048 CEST	1.1.1.1	192.168.2.5	0x9595	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.382760048 CEST	1.1.1.1	192.168.2.5	0x9595	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.382760048 CEST	1.1.1.1	192.168.2.5	0x9595	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.394136906 CEST	1.1.1.1	192.168.2.5	0xa61e	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.394136906 CEST	1.1.1.1	192.168.2.5	0xa61e	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.394136906 CEST	1.1.1.1	192.168.2.5	0xa61e	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.394136906 CEST	1.1.1.1	192.168.2.5	0xa61e	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.395175934 CEST	1.1.1.1	192.168.2.5	0x63cf	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.395242929 CEST	1.1.1.1	192.168.2.5	0xa81a	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:50.395242929 CEST	1.1.1.1	192.168.2.5	0xa81a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.407569885 CEST	1.1.1.1	192.168.2.5	0xe7e9	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:50.417267084 CEST	1.1.1.1	192.168.2.5	0xb937	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:46:51.676897049 CEST	1.1.1.1	192.168.2.5	0x124d	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:51.676897049 CEST	1.1.1.1	192.168.2.5	0x124d	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:47:08.258044958 CEST	1.1.1.1	192.168.2.5	0x9e26	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:20.800709009 CEST	1.1.1.1	192.168.2.5	0x3011	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:21.506872892 CEST	1.1.1.1	192.168.2.5	0x53a0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:47:21.506872892 CEST	1.1.1.1	192.168.2.5	0x53a0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:48.778414965 CEST	1.1.1.1	192.168.2.5	0x84e8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:47:49.284554005 CEST	1.1.1.1	192.168.2.5	0x9f9d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:47:49.284554005 CEST	1.1.1.1	192.168.2.5	0x9f9d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	5492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:46:22.236306906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:22.710581064 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 39341 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:23.787070036 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:23.887465000 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 39342 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	34.107.221.82	80	5492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:46:23.553021908 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:24.035134077 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 79328 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49729	34.107.221.82	80	5492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:46:24.608015060 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:25.061456919 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50009 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:25.980812073 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:26.085407972 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50010 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:28.661885023 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:28.778692961 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50012 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:34.094044924 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:34.193697929 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50018 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:36.158093929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:36.254631996 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50020 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:37.912231922 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:38.009071112 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50021 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:44.957391977 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:45.054090023 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50029 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:48.355721951 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:48.452827930 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50032 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:50.938970089 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:51.035722017 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50034 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:51.275579929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:51.372236967 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50035 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:51.499222040 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:51.595659018 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50035 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:51.753542900 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:51.850506067 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50035 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:46:52.003190041 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:46:52.100279093 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50036 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:47:02.112587929 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:08.860359907 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:47:08.957189083 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:47:18.961733103 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:21.605789900 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:47:21.702719927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50065 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:47:22.110618114 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:47:22.207488060 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50066 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:47:32.220916033 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:42.234107971 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:49.380641937 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 09:47:49.478605032 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 50093 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 09:47:59.489427090 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:48:09.502295017 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:48:19.511449099 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49731	34.107.221.82	80	5492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:46:25.009012938 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:25.484448910 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68647 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:25.981296062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:26.085679054 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68648 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:29.683087111 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:29.784754038 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68651 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:34.831989050 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:34.932488918 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:37.620299101 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:37.721250057 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68659 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:44.852122068 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:44.952833891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68666 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:48.233685017 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:48.333806038 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68670 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:50.834994078 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:50.935414076 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68672 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:51.171413898 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:51.271744013 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68673 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:51.395807028 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:51.496011019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68673 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:51.649405956 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:51.750097036 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68673 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:46:51.899619102 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:46:52.000070095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68673 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:47:02.012303114 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:08.756297112 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:47:08.857124090 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68690 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:47:18.861438036 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:21.500392914 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:47:21.600856066 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68703 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:47:22.006618023 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:47:22.106874943 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68704 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:47:32.120625019 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:42.133534908 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:47:49.276483059 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 09:47:49.377527952 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 68731 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 09:47:59.389086962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:48:09.402018070 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 09:48:19.419658899 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	03:46:14
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x410000
File size:	919'552 bytes
MD5 hash:	E6629643E8305D91FF0457EDB686F35C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:46:14
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x540000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:46:14
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:46:16
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x540000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:46:16
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:46:16
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x540000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:46:16
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x540000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x540000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:46:18
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e542091b-9dc7-4550-9d17-5ca93cbf51d1} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a8b76d310 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:46:21
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -parentBuildID 20230927232528 -prefsHandle 3356 -prefMapHandle 4428 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e7fab1-6afc-4bfb-bc0d-982fabcd3634} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23a9dd28510 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	03:46:28
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e25ea4-9a79-4ebf-bed9-2343228ad319} 5492 "\\.\pipe\gecko-crash-server-pipe.5492" 23aa55c4d10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1516
Total number of Limit Nodes:	50

Executed Functions

Function 004142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041430D

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetCurrentProcess.KERNEL32(?,004ACB64,00000000,?,?), ref: 00414422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00414429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00414454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00414466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00414474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004144A0

Strings

|O, xrefs: 004536F8
GetNativeSystemInfo, xrefs: 00414460
kernel32.dll, xrefs: 0041444F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction ID: 5bd0a10c115b8233cb2554a713b1d08cb2f7d6e949969e7e1139dd94e7fea33c
Opcode Fuzzy Hash: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction Fuzzy Hash: 6AA1C27198A2D0CFE711CB6978C05D97FA46B66741B0848FADC819BB33D2384959CB3E

Function 004142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004150AA,?,?,00000000,00000000), ref: 004142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004150AA,?,?,00000000,00000000), ref: 004142C9
LoadResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535BE
SizeofResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535D3
LockResource.KERNEL32(004150AA,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20,?), ref: 004535E6

Strings

SCRIPT, xrefs: 004142BF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction ID: 64b352aa6eec582408cddc42f2d7f946e43335457cb45514df6342ae0d7497fa
Opcode Fuzzy Hash: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction Fuzzy Hash: 4E118E71600700BFD7218B65DC88FA77BBAEBC6B91F2041AEF402D6290DB71DC408675

Function 00452BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004D2224), ref: 00452C10
ShellExecuteW.SHELL32(00000000,?,?,004D2224), ref: 00452C17

Strings

runas, xrefs: 00452C0B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction ID: ad4ded320dad4d48f974248dad2d2636c224a195f8523edf24c567d04a517595
Opcode Fuzzy Hash: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction Fuzzy Hash: B411D2312483456AC704FF21D9A19FE7BA4AB9175AF04142FF582421A3CF7C9A9AC71E

Function 0047D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Process32NextW.KERNEL32(00000000,?), ref: 0047D52F
CloseHandle.KERNELBASE(00000000), ref: 0047D5DC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction ID: f94cc9343f9b6e6d5958c8450b0b2dfa4962ca403455e7102376e4fbd1840aad
Opcode Fuzzy Hash: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction Fuzzy Hash: 4D31C471108300AFD300EF54C881AEFBBF8EF99348F14492EF585821A1EB759988CB96

Function 0047DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00455222), ref: 0047DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0047DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0047DBEE
FindClose.KERNEL32(00000000), ref: 0047DBFA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction ID: 09ebdddbf36ce4036177ee0147db7007318ee147bebc28438f175371bef3acbf
Opcode Fuzzy Hash: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction Fuzzy Hash: 0DF0A031C209105B92216B78AC4D8EB3BBC9E02334B148B53F83AC21E0EBB45D55869E

Function 00434CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D09
TerminateProcess.KERNEL32(00000000,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D10
ExitProcess.KERNEL32 ref: 00434D22

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction ID: e2ce1280af31f4e8cff46ac7f0b083e64033e412971894a31d71b14f0566a782
Opcode Fuzzy Hash: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction Fuzzy Hash: 6EE0B631000148ABDFA1AF55DD49A993F69EB86785F104029FC159A232CB39ED42CB88

Function 0041BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#N, xrefs: 004607CE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#N
API String ID: 3964851224-2222828212
Opcode ID: 7c7256de5aebfede7a5059d25cc691aa0045b6b956f5d397660c6e6c63295886
Instruction ID: 46ac8441f4e408f5f890657d813a83ac492ee8f03bec2790fc94a1389a817f05
Opcode Fuzzy Hash: 7c7256de5aebfede7a5059d25cc691aa0045b6b956f5d397660c6e6c63295886
Instruction Fuzzy Hash: 39A26E706083419FC714DF15C480B6BB7E1BF89304F54896EE89A8B352E779EC85CB9A

Function 0049AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0049B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1D4
_wcslen.LIBCMT ref: 0049B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B236
_wcslen.LIBCMT ref: 0049B332

Part of subcall function 004805A7: GetStdHandle.KERNEL32(000000F6), ref: 004805C6

_wcslen.LIBCMT ref: 0049B34B
_wcslen.LIBCMT ref: 0049B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0049B3B6
GetLastError.KERNEL32(00000000), ref: 0049B407
CloseHandle.KERNEL32(?), ref: 0049B439
CloseHandle.KERNEL32(00000000), ref: 0049B44A
CloseHandle.KERNEL32(00000000), ref: 0049B45C
CloseHandle.KERNEL32(00000000), ref: 0049B46E
CloseHandle.KERNEL32(?), ref: 0049B4E3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: dce5db95391f94078f4c5331cad4d16ab776b727b90ab990cddbaadf58af8266
Instruction ID: 25048c09a4b289408e7811efd2d9f096f84f233f76021500413f10eee37acff8
Opcode Fuzzy Hash: dce5db95391f94078f4c5331cad4d16ab776b727b90ab990cddbaadf58af8266
Instruction Fuzzy Hash: B2F18F315042009FCB14EF25D985B6FBBE1EF85314F14856EF8855B2A2DB39EC44CB9A

Function 0041D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0041D807
timeGetTime.WINMM ref: 0041DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB28
TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNELBASE(0000000A), ref: 0041DBB1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: fc30afacb4da65af0f07c6c1642baf5c1b581ddbffef7d3fd2867a03ec8dad16
Instruction ID: 233eb11a11d6ee92a0007f630f6eca49b9dfb503b303113e6136d5293f7cdb47
Opcode Fuzzy Hash: fc30afacb4da65af0f07c6c1642baf5c1b581ddbffef7d3fd2867a03ec8dad16
Instruction Fuzzy Hash: 9C42E6B0A08641EFD724CF25C984BAAB7E4BF45304F14452FE4568B391D7B8E885CB8B

Function 00412CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412D07
RegisterClassExW.USER32(00000030), ref: 00412D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
LoadIconW.USER32(000000A9), ref: 00412D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

AutoIt v3 GUI, xrefs: 00412D23
+, xrefs: 00412CF0
0, xrefs: 00412CE9
TaskbarCreated, xrefs: 00412D37

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction ID: 26d889eeab7737b67dd740a4315651944a1799193d87aa314ad0eb52171a6d8d
Opcode Fuzzy Hash: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction Fuzzy Hash: 8621E3B5D41259AFDB40DFA4E889BDDBFB4FB09700F00812AF911AA2A1D7B50540CF98

Function 0045065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045039A: CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

GetLastError.KERNEL32 ref: 0045076F
__dosmaperr.LIBCMT ref: 00450776
GetFileType.KERNELBASE(00000000), ref: 00450782
GetLastError.KERNEL32 ref: 0045078C
__dosmaperr.LIBCMT ref: 00450795
CloseHandle.KERNEL32(00000000), ref: 004507B5
CloseHandle.KERNEL32(?), ref: 004508FF
GetLastError.KERNEL32 ref: 00450931
__dosmaperr.LIBCMT ref: 00450938

Strings

H, xrefs: 004508BD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction ID: 8e904d2056069bcdf7042deb4b8b28dc10fc79de7f2d6027b8a517a76bdb949f
Opcode Fuzzy Hash: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction Fuzzy Hash: 8AA138369001448FDF19AF68D891BAE7BA0AB0A325F14015EFC119F3D2DB799C17CB99

Function 0041344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00413357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0041356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0045318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004531CE
RegCloseKey.ADVAPI32(?), ref: 00453210
_wcslen.LIBCMT ref: 00453277
_wcslen.LIBCMT ref: 00453286

Strings

\Include\, xrefs: 00413527
Software\AutoIt v3\AutoIt, xrefs: 00413560
\, xrefs: 0045328C
Include, xrefs: 00453184, 004531C5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 13002e1a8feeb434b5f527f3f9c0bfcbfc2e5ec7fd1eea55d1858609a9db928c
Instruction ID: e858ca5e4124b1a09b43b7b6f1e66bc920bdadb0341b8ba7d42d13a84b332d22
Opcode Fuzzy Hash: 13002e1a8feeb434b5f527f3f9c0bfcbfc2e5ec7fd1eea55d1858609a9db928c
Instruction Fuzzy Hash: 66717F714043409EC314DF66DD8299BBBE8BF95744F40443FF94587262EBB89A88CF69

Function 00412B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00412B9D
LoadIconW.USER32(00000063), ref: 00412BB3
LoadIconW.USER32(000000A4), ref: 00412BC5
LoadIconW.USER32(000000A2), ref: 00412BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00412BEF
RegisterClassExW.USER32(?), ref: 00412C40

Part of subcall function 00412CD4: GetSysColorBrush.USER32(0000000F), ref: 00412D07
Part of subcall function 00412CD4: RegisterClassExW.USER32(00000030), ref: 00412D31
Part of subcall function 00412CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
Part of subcall function 00412CD4: InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
Part of subcall function 00412CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
Part of subcall function 00412CD4: LoadIconW.USER32(000000A9), ref: 00412D85
Part of subcall function 00412CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

AutoIt v3, xrefs: 00412C2F
#, xrefs: 00412C16
0, xrefs: 00412C0F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction ID: 3b2bc01a16742ff9486beedea7918da6c5c0350a629f755a44a63e5c1f45029d
Opcode Fuzzy Hash: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction Fuzzy Hash: 7D210974E40358ABEB109FA5ECD5AAD7FB4FB48B50F00403AE901AA6B1D7B51540DF98

Function 00413170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0041316A,?,?), ref: 004131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0041316A,?,?), ref: 00413204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00413227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0041316A,?,?), ref: 00413232
CreatePopupMenu.USER32 ref: 00413246
PostQuitMessage.USER32(00000000), ref: 00413267

Strings

TaskbarCreated, xrefs: 0041322D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction ID: 6c59f49d2d4b00ad51ea740e1028840623781f8c34ef55a238766ca6cf6b1d49
Opcode Fuzzy Hash: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction Fuzzy Hash: 1F411935380144B6DB146F689D8D7FE3A59E706346F04413BF901892B2CBBD9EC1876E

Function 00411410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00411459
CoUninitialize.COMBASE ref: 004114F8
UnregisterHotKey.USER32(?), ref: 004116DD
DestroyWindow.USER32(?), ref: 004524B9
FreeLibrary.KERNEL32(?), ref: 0045251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045254B

Strings

close all, xrefs: 00411454

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8e9a22c9dccdcc8e646b6124bd51dee839857400eab36e5666cc0d2c267be717
Instruction ID: 1cdaf9cef9cef249be199b6956ef20ef562f5cfe89942317c1ea88c597efcc65
Opcode Fuzzy Hash: 8e9a22c9dccdcc8e646b6124bd51dee839857400eab36e5666cc0d2c267be717
Instruction Fuzzy Hash: FAD1CE30701222DFCB19EF15C594A6AF7A0BF06705F1441AFE90A6B362DB38AC56CF49

Function 00412C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00412C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CCF

Strings

AutoIt v3, xrefs: 00412C89, 00412C8E, 00412C8F
edit, xrefs: 00412CAC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction ID: 99052c86cc8cf3efcc0869b0853d3bb92962d71e3989a705adee18fcf6d74e1a
Opcode Fuzzy Hash: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction Fuzzy Hash: A5F03A759802D07AFB700713AC88E772EBDD7C7F50B00002AFD00AA5B1C2750840DAB8

Function 00413B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B83

Strings

Control Panel\Mouse, xrefs: 00413B3E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction ID: efe99ebc86e2a43639fa0a45ccb95c55ad0c1e52a376fff70b7430767290cc3a
Opcode Fuzzy Hash: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction Fuzzy Hash: 34112AB5515208FFDB208FA5DC84AEFBBB8EF05745B10446AA805D7211E235AE809768

Function 00413923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004533A2

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Strings

Line: , xrefs: 004533EB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9c8269cd77b392e4b6cc86720c9b986e4d0e489490e0938c946c4369cdf0796d
Instruction ID: 64eb98bd1e8a2c6d8bf1d1448a80795433b550d303183492142cb03938254339
Opcode Fuzzy Hash: 9c8269cd77b392e4b6cc86720c9b986e4d0e489490e0938c946c4369cdf0796d
Instruction Fuzzy Hash: 6E31E571448304AAD321EF20DC45BEBB7D8AF44719F10092FF999931A1DB789A89C7CE

Function 00412DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00452C8C

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 00412DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Strings

`eM, xrefs: 00452C85
X, xrefs: 00452C5A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eM
API String ID: 779396738-3105956497
Opcode ID: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction ID: 60189ebbf70a092f4650bb241f0bb35d40b29c1db4a319a09a0ab6a936fb48da
Opcode Fuzzy Hash: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction Fuzzy Hash: F221C671A00258ABDB41DF95D8457EE7BF89F49305F00805BE405E7341DBFC55898F69

Function 0042FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00430668

Part of subcall function 004332A4: RaiseException.KERNEL32(?,?,?,0043068A,?,004E1444,?,?,?,?,?,?,0043068A,00411129,004D8738,00411129), ref: 00433304

__CxxThrowException@8.LIBVCRUNTIME ref: 00430685

Strings

Unknown exception, xrefs: 00430692

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction ID: 8a9ef89cd59e2d12a381263514402eb75b796a092c879378687861d6288dc8f0
Opcode Fuzzy Hash: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction Fuzzy Hash: CBF0283090020C73CB00FAA6E856D9F777C5E04314FA0423BB814D16D5EF78DA59C58C

Function 004110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00411BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Part of subcall function 00411B4A: RegisterWindowMessageW.USER32(00000004,?,004112C4), ref: 00411BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041136A
OleInitialize.OLE32 ref: 00411388
CloseHandle.KERNEL32(00000000,00000000), ref: 004524AB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: edf4b1c9d4ce36de066d10ca834a21dcfb9e4e6da13ae5f4827b678026176e8a
Instruction ID: b84454b7ec4f0764e400905ca68859637c0bfc71ced587ec1fd0445a8f5a922f
Opcode Fuzzy Hash: edf4b1c9d4ce36de066d10ca834a21dcfb9e4e6da13ae5f4827b678026176e8a
Instruction Fuzzy Hash: 807181B4991380AF8384EF7AA9C56A93AE4BB89344754853FD41ACB372E7344481CF4D

Function 0047C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00413923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0047C259
KillTimer.USER32(?,00000001,?,?), ref: 0047C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0047C270

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction ID: 07c0a4e9dda9abd1281bfa016e86650e58038c89447dd5e7653cab4097062b5a
Opcode Fuzzy Hash: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction Fuzzy Hash: 7731B170904344AFEB22CF6498D5BE7BBEC9B06308F0044DED69EA7242C7785A85CB59

Function 004486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004485CC,?,004D8CC8,0000000C), ref: 00448704
GetLastError.KERNEL32(?,004485CC,?,004D8CC8,0000000C), ref: 0044870E
__dosmaperr.LIBCMT ref: 00448739

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction ID: ea73b3928fc640aac435520ba355ecc7594b0d5115cddce301038186b9cb4e05
Opcode Fuzzy Hash: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction Fuzzy Hash: CA016F3360416027FAA16634588577F27594B92778F36011FFC148B2D3DDAC8C81815C

Function 0041DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNELBASE(0000000A), ref: 0041DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00461CC9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction ID: 549212170e5995362c6f35e5c4ec1d5f8b3e2d2477322f221449ac2b3544161b
Opcode Fuzzy Hash: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction Fuzzy Hash: 6AF054706443419BE770D761CC85FDB77ACEB45310F10452AE61A831D0DB38A4848B1E

Function 00421310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004217F6

Strings

CALL, xrefs: 004217C6

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f388de8371513ea5ba7c1ebe0f7ba614b96975cfbca758d26dbafc0493f3b6ba
Instruction ID: a776517bb2fe5df75cedd954906f4bafdafd1e5466ba507881bd09a3726e9400
Opcode Fuzzy Hash: f388de8371513ea5ba7c1ebe0f7ba614b96975cfbca758d26dbafc0493f3b6ba
Instruction Fuzzy Hash: 7422CE706083119FC714DF15E480B2ABBF1BF95308F54896EF8868B361D779E885CB8A

Function 00413837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction ID: 056957f1de2ae35761f1b6e384e14098924950fae4bfab9b2b904b30d0ce5a52
Opcode Fuzzy Hash: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction Fuzzy Hash: 7B31AEB06043009FE320EF65D8847D7BBE8FB49709F00092FF99987251E775AA84CB5A

Function 0042F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0042F661

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

Sleep.KERNEL32(00000000), ref: 0046F2DE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction ID: 6b4aa508ff43c5fcbd79eb740f9a3b29f5e869f4e5e1717f3dd2a331738286c1
Opcode Fuzzy Hash: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction Fuzzy Hash: E8F08271240215AFD350EF65D445B9ABBE5FF45764F00003AE859C72A0EB70A840CF99

Function 00414ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
Part of subcall function 00414E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
Part of subcall function 00414E90: FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EFD

Part of subcall function 00414E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
Part of subcall function 00414E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
Part of subcall function 00414E59: FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction ID: 900f2c9c90345bbf6c8c6cc6d72cff397e7799e8d9f53e8a554612d68bf07ed7
Opcode Fuzzy Hash: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction Fuzzy Hash: 39112732600305ABCF11BF62DD02FED77A4AF80715F10842FF442AA2C1DE789A86D758

Function 00448402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00448440

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction ID: 468fc146550a3b5ad369d51ca4c32303ba9c9804c984b30da46b8717e1514b66
Opcode Fuzzy Hash: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction Fuzzy Hash: 9C11187590410AAFDB15DF58E94199F7BF5EF48314F14406AFC08AB312EA31EA11CBA9

Function 00445000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444C7D: RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

_free.LIBCMT ref: 0044506C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3207294c87015c732eee2cb8e60bba1371940945a62811add9f7db552efcf610
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E9014E762047055BF7318F55D881A5AFBEDFB85370F65051EF184932C1EA746805C778

Function 0043E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 4d792ed2e3683cdd0f0f3db6df7e6a3928387465b157af95a35fa66ad32eb828
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF0F932912A14D6E6313A679C06B5B37989F66339F50171FF420922D2CB7CD40285AD

Function 00444C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction ID: 7ee51492ea6bf53f0f876b325c3ebd3a3d483ebfaeec00ef9577486e0ae18ae0
Opcode Fuzzy Hash: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction Fuzzy Hash: CAF0B43164222466FB215F62AC85B5B3788AFC17B1B1E4127BC15AB2D1CA38D80146AC

Function 00443820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction ID: 2be2194f537c97b26d387be2b5a0cfa5e511e3eb05b278967ff7e17510578f57
Opcode Fuzzy Hash: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction Fuzzy Hash: 49E0E53110022496F6213E679C01B9BB6C9AB82FB2F050037BC14966D1DB29ED0185ED

Function 00414F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414F6D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction ID: d8e467e417625fc9cc4bbec40cd4c4cc744f867c383fa02e1d3cfa8514ed483f
Opcode Fuzzy Hash: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction Fuzzy Hash: 0BF0A970105302CFCB348F21D4908A2BBE0EF44329320897FE1EA86720C739988ADF08

Function 004A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004A2A66

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction ID: 2adda7da943e03969f9efe6a3a539bc8c6ab1c2384465282f44adeaf0f934759
Opcode Fuzzy Hash: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction Fuzzy Hash: 50E0DF72340116AEC750EA35DC809FE734CEB61399B00443BAC2AC2100DB788986A2A8

Function 004130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction ID: 9644816f2644e973a62ff5c4221b72a75d44b3e4d76f69f2c84862296c4903f2
Opcode Fuzzy Hash: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction Fuzzy Hash: DAF0A7709403449FE752DF24DC857D67BBCA70570CF0000F9A54896292D77447C8CF49

Function 00412DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction ID: 2739d31557871911e61141ce964b9a973c10960a1f6eb8ab37d91c0c6c9ed021
Opcode Fuzzy Hash: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction Fuzzy Hash: 2FE0C273A042245BCB20A2999C06FEA77EDDFC8794F0500B6FD09E7258DA64ED848698

Function 00412B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00413837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 004130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction ID: 05eef3e647f2d1bdc569f713e98c19156a91d242edd2c6bba7c316fc13daa8e0
Opcode Fuzzy Hash: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction Fuzzy Hash: 8AE04F3160424407CA04BF66A8525EDA7999B9535AF40553FF142862A3CF6C89C5435A

Function 0045039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction ID: 04a77af7f8c2275ecb2ffb4b20581333ca1a498ae7f0c6d44ef901ceab7b802d
Opcode Fuzzy Hash: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction Fuzzy Hash: 23D06C3214010DBBDF028F84DD46EDA3FAAFB48714F014010BE1856020C736E821AB94

Function 00411CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00411CBC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction ID: c43445fa6cd2b0e5a4a152cc0ed159e05a7acda552d4d864697e47614e2418b9
Opcode Fuzzy Hash: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction Fuzzy Hash: 20C09B356C0354BFF2144780BDCAF107754A348B00F444011F6095D5F3C7F11810D758

Non-executed Functions

Function 004A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A96C9
SendMessageW.USER32 ref: 004A96F2
GetKeyState.USER32(00000011), ref: 004A978B
GetKeyState.USER32(00000009), ref: 004A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A97AE
GetKeyState.USER32(00000010), ref: 004A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A97E9
SendMessageW.USER32 ref: 004A9810
SendMessageW.USER32(?,00001030,?,004A7E95), ref: 004A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004A9941
SetCapture.USER32(?), ref: 004A994A
ClientToScreen.USER32(?,?), ref: 004A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A99D6
ReleaseCapture.USER32 ref: 004A99E1
GetCursorPos.USER32(?), ref: 004A9A19
ScreenToClient.USER32(?,?), ref: 004A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9A80
SendMessageW.USER32 ref: 004A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9AEB
SendMessageW.USER32 ref: 004A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004A9B4A
GetCursorPos.USER32(?), ref: 004A9B68
ScreenToClient.USER32(?,?), ref: 004A9B75
GetParent.USER32(?), ref: 004A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9BFA
SendMessageW.USER32 ref: 004A9C2B
ClientToScreen.USER32(?,?), ref: 004A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9CDE
SendMessageW.USER32 ref: 004A9D01
ClientToScreen.USER32(?,?), ref: 004A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004A9D82

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetWindowLongW.USER32(?,000000F0), ref: 004A9E05

Strings

p#N, xrefs: 004A9990
F, xrefs: 004A9D07
@GUI_DRAGID, xrefs: 004A997D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#N
API String ID: 3429851547-2054023450
Opcode ID: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction ID: 2872065ed9abebc30ef48a79d199d808c24ffbffe602ce20e88ab05f5eb9e2d2
Opcode Fuzzy Hash: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction Fuzzy Hash: CA42AC74605240AFDB24CF24CC84AABBBE5FF5A314F14062EF699872A1D735EC50CB5A

Function 004A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A7E
IsMenu.USER32(?), ref: 004A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4B20
GetWindowLongW.USER32(?,000000F0), ref: 004A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004A4C82
wsprintfW.USER32 ref: 004A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4D5A

Strings

%d/%02d/%02d, xrefs: 004A4CA8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 80b1819f44eb6403bc36e41b72e15589932672447e5f344b6c73eabee28bdb88
Instruction ID: d4e54a8277d1ec3bdc5d3dffb94d56975de19d66760bfbbcc03ba14aa7d86c4f
Opcode Fuzzy Hash: 80b1819f44eb6403bc36e41b72e15589932672447e5f344b6c73eabee28bdb88
Instruction Fuzzy Hash: D812D171600214AFEB258F24DC49FAF7BF8AFD6314F10412AF515EA2E1DBB89941CB58

Function 0042F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0042F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046F474
IsIconic.USER32(00000000), ref: 0046F47D
ShowWindow.USER32(00000000,00000009), ref: 0046F48A
SetForegroundWindow.USER32(00000000), ref: 0046F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4AA
GetCurrentThreadId.KERNEL32 ref: 0046F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0046F4DE
SetForegroundWindow.USER32(00000000), ref: 0046F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F4F6
keybd_event.USER32(00000012,00000000), ref: 0046F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F50B
keybd_event.USER32(00000012,00000000), ref: 0046F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F519
keybd_event.USER32(00000012,00000000), ref: 0046F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F528
keybd_event.USER32(00000012,00000000), ref: 0046F52D
SetForegroundWindow.USER32(00000000), ref: 0046F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0046F557

Strings

Shell_TrayWnd, xrefs: 0046F46F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction ID: 6f0a8fd8c16c7855d3511cfa0acd8bab40b8d326641864457239685d22461f6e
Opcode Fuzzy Hash: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction Fuzzy Hash: 77315471B40328BFEB206BB55C8AFBF7E6CEB45B50F100076F601E61D1DAB55D00AA69

Function 00471201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00471286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004712A8
CloseHandle.KERNEL32(?), ref: 004712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004712D1
GetProcessWindowStation.USER32 ref: 004712EA
SetProcessWindowStation.USER32(00000000), ref: 004712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00471310

Part of subcall function 004710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
Part of subcall function 004710BF: CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Strings

, xrefs: 0047125A
winsta0, xrefs: 004712CC
ZM, xrefs: 00471392
default, xrefs: 0047130B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZM
API String ID: 22674027-4222036657
Opcode ID: 8ea6af06f53bd573f65e76c55f9f76494034890b387175284b794910541fb624
Instruction ID: 5ebe5b4610c0680d9d62e6ad8f3315e4581e40c96d5973091170d4397814dd83
Opcode Fuzzy Hash: 8ea6af06f53bd573f65e76c55f9f76494034890b387175284b794910541fb624
Instruction Fuzzy Hash: A481A171900209AFDF219FA8DC49FEF7FB9EF05704F14812AF914A62A0D7388944CB69

Function 00470B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470C00
GetLengthSid.ADVAPI32(?), ref: 00470C17
GetAce.ADVAPI32(?,00000000,?), ref: 00470C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470C6D
GetLengthSid.ADVAPI32(?), ref: 00470C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470C8C
HeapAlloc.KERNEL32(00000000), ref: 00470C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470CB4
CopySid.ADVAPI32(00000000), ref: 00470CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D45
HeapFree.KERNEL32(00000000), ref: 00470D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D55
HeapFree.KERNEL32(00000000), ref: 00470D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D65
HeapFree.KERNEL32(00000000), ref: 00470D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00470D78
HeapFree.KERNEL32(00000000), ref: 00470D7F

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction ID: f75398bc8c1c949a0eff6f3967684da32f54ae3d3bbeb5faa71af6c81c44da00
Opcode Fuzzy Hash: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction Fuzzy Hash: 5A714C7190120AEFDF209FE4DC84BEFBBB8AF05304F148526E919A6291D779A905CF64

Function 0048EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ACC08), ref: 0048EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0048EB37
GetClipboardData.USER32(0000000D), ref: 0048EB43
CloseClipboard.USER32 ref: 0048EB4F
GlobalLock.KERNEL32(00000000), ref: 0048EB87
CloseClipboard.USER32 ref: 0048EB91
GlobalUnlock.KERNEL32(00000000), ref: 0048EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0048EBC9
GetClipboardData.USER32(00000001), ref: 0048EBD1
GlobalLock.KERNEL32(00000000), ref: 0048EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0048EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0048EC38
GetClipboardData.USER32(0000000F), ref: 0048EC44
GlobalLock.KERNEL32(00000000), ref: 0048EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0048EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0048ECF3
CountClipboardFormats.USER32 ref: 0048ED14
CloseClipboard.USER32 ref: 0048ED59

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction ID: 9306f0b11657eb8d9a23f21ffc00f9e261983ffbde9b1bd8d88eeb74486a11bb
Opcode Fuzzy Hash: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction Fuzzy Hash: FC61F5352043029FD300EF26C884F6E7BE4AF85714F04496EF456872A2DB39ED45CB6A

Function 0048698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004869BE
FindClose.KERNEL32(00000000), ref: 00486A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A75

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00486AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00486ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00486B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00486B32
%02d, xrefs: 00486C00, 00486C0A, 00486C5A, 00486CAA, 00486CFA, 00486D4A
%4d, xrefs: 00486BB1
%03d, xrefs: 00486DA2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction ID: 952399157b43fb10bf334b2d9b7ad416bf02b22bcdc3439a9c8d05a9a9766f16
Opcode Fuzzy Hash: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction Fuzzy Hash: BFD15371508300AFC714EBA5D891EAFB7ECAF88708F44491EF589C7291EB38DA44C766

Function 00489642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00489663
GetFileAttributesW.KERNEL32(?), ref: 004896A1
SetFileAttributesW.KERNEL32(?,?), ref: 004896BB
FindNextFileW.KERNEL32(00000000,?), ref: 004896D3
FindClose.KERNEL32(00000000), ref: 004896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0048974A
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 00489768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00489772
FindClose.KERNEL32(00000000), ref: 0048977F
FindClose.KERNEL32(00000000), ref: 0048978F

Strings

*.*, xrefs: 004896F5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction ID: 76abdfb5c3706c9f0603e01a83b8f067962f123f56fa04c96d695ab40ba92a32
Opcode Fuzzy Hash: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction Fuzzy Hash: 9431B432500619AADB10BFB4DC48AEF77AC9F49320F1845A7E805E2290EB38DD408B5C

Function 0048979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00489819
FindClose.KERNEL32(00000000), ref: 00489824
FindFirstFileW.KERNEL32(*.*,?), ref: 00489840
SetCurrentDirectoryW.KERNEL32(?), ref: 00489890
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 004898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004898B8
FindClose.KERNEL32(00000000), ref: 004898C5
FindClose.KERNEL32(00000000), ref: 004898D5

Part of subcall function 0047DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0047DB00

Strings

*.*, xrefs: 0048983B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction ID: 2526aa5c16bd58def1cde4d971fda47a61c40baeea5adc0bf30615f079905b43
Opcode Fuzzy Hash: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction Fuzzy Hash: 5A31A532500A1A6EDF10BFB5DC48AEF77AC9F06324F1845A7E814A2290DB38DD458B6C

Function 0049BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0049BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0049BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0049C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0049C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0049C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049C382
RegCloseKey.ADVAPI32(00000000), ref: 0049C38F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5cbb20db5de75d270401d7a793aa6626d53db097390d172ae5ab82e3723d7cd5
Instruction ID: f8e0af166d31c316af214529f682295d1b4fd83829a2da681b95b168441c762d
Opcode Fuzzy Hash: 5cbb20db5de75d270401d7a793aa6626d53db097390d172ae5ab82e3723d7cd5
Instruction Fuzzy Hash: FF024D716042009FDB14DF24C8D5E2ABBE5EF89318F1884AEF84ACB2A2D735ED45CB55

Function 00488195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00488257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00488267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00488273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00488310
SetCurrentDirectoryW.KERNEL32(?), ref: 00488324
SetCurrentDirectoryW.KERNEL32(?), ref: 00488356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0048838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00488395

Strings

*.*, xrefs: 0048839B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction ID: 8c87cecdd7d48a25a21600357a76941b17b959492d1dc5e36fa3645ee2878ee6
Opcode Fuzzy Hash: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction Fuzzy Hash: C6615B725043059FCB10EF61C88099FB3E9FF89318F44896EF98987251DB39E945CB9A

Function 0047D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0047D1DD
MoveFileW.KERNEL32(?,?), ref: 0047D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D237

Part of subcall function 0047D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0047D21C,?,?), ref: 0047D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0047D253
FindClose.KERNEL32(00000000), ref: 0047D264

Strings

\*.*, xrefs: 0047D0CD, 0047D0D6, 0047D0EB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction ID: c9bd246417695e58f40d9c310ba86c615feddd4b560745cbcdddbfd4be17de3e
Opcode Fuzzy Hash: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction Fuzzy Hash: 50619271C1110D9FCF05EBE1C9929EDB775AF15304F2481AAE40677192EB386F4ACB68

Function 0048ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0048ED91
EmptyClipboard.USER32 ref: 0048ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0048EDAC
CloseClipboard.USER32 ref: 0048EEA3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction ID: f6a1ee12a9bf1f9d6cd9cfd059f083aaf3a7f76c7cfd54588a7e6f3cede820cf
Opcode Fuzzy Hash: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction Fuzzy Hash: 4141A235604611DFD310DF16D888B6ABBE1EF45318F14C4AAE4198B7A2C739EC42CB98

Function 0047E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

ExitWindowsEx.USER32(?,00000000), ref: 0047E932

Strings

, xrefs: 0047E95C
SeShutdownPrivilege, xrefs: 0047E902
@, xrefs: 0047E925
, xrefs: 0047E920

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction ID: 4121d37f4915808f1e42dbe2fa5f43559ff917019860fa529bbb4499c1d22683
Opcode Fuzzy Hash: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction Fuzzy Hash: B4012BF3610210ABEB5426B69C85FFB765C9708744F158667FA06F21D1D6685C40829C

Function 00491204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00491276
WSAGetLastError.WSOCK32 ref: 00491283
bind.WSOCK32(00000000,?,00000010), ref: 004912BA
WSAGetLastError.WSOCK32 ref: 004912C5
closesocket.WSOCK32(00000000), ref: 004912F4
listen.WSOCK32(00000000,00000005), ref: 00491303
WSAGetLastError.WSOCK32 ref: 0049130D
closesocket.WSOCK32(00000000), ref: 0049133C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction ID: 36fb13bde51371ff65b9a3fbae29feb4be3297c3ac66fa839b86cba43553d432
Opcode Fuzzy Hash: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction Fuzzy Hash: A64162316001019FDB10EF64C484B6ABBE5BF46318F1881ADD8569F3E6C779ED81CBA5

Function 0044B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B9D4
_free.LIBCMT ref: 0044B9F8
_free.LIBCMT ref: 0044BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction ID: e9597cbb70ea9c676cba07968464c17cb60811c319e0a9a9fe6d1cced2f7fdb4
Opcode Fuzzy Hash: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction Fuzzy Hash: A5C11971A042459FEB209F6A8C81AAA7BB8EF45314F1441AFE990EB352D738DD4187D8

Function 0047D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D481
FindClose.KERNEL32(00000000), ref: 0047D498
FindClose.KERNEL32(00000000), ref: 0047D4A1

Strings

\*.*, xrefs: 0047D3F2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction ID: 881502f683e4a739534d3d2421454e492770a406ec2f3b67fa0c6386e1b0b148
Opcode Fuzzy Hash: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction Fuzzy Hash: 2C31B2714183449BC300EF61C8918EF77E8AE91314F448E1FF4D552191EB38AA49C76B

Function 0044E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044E645

Strings

1#IND, xrefs: 0044F83D
1#SNAN, xrefs: 0044F844
1#QNAN, xrefs: 0044F84B
1#INF, xrefs: 0044F852

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction ID: 7f2a59f8be7e269ccb82b669bf2442bb820b17bf4250837d9df762e4fa5cdb0f
Opcode Fuzzy Hash: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction Fuzzy Hash: F4C24872E046288FEB25CE299D407EAB7B5FB48305F1441EBD80DE7241E778AE858F45

Function 0048648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004864DC
CoInitialize.OLE32(00000000), ref: 00486639
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 00486650
CoUninitialize.OLE32 ref: 004868D4

Strings

.lnk, xrefs: 004864BA, 00486524, 004865E0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction ID: bd6775c1ad53ba9417aa207dd946af9fa3ab70a9163365b3164009be91aae2f7
Opcode Fuzzy Hash: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction Fuzzy Hash: 5ED15B71508301AFC304EF25C891AABB7E8FF98708F10496EF5958B291EB34ED45CB96

Function 004922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004922E8

Part of subcall function 0048E4EC: GetWindowRect.USER32(?,?), ref: 0048E504

GetDesktopWindow.USER32 ref: 00492312
GetWindowRect.USER32(00000000), ref: 00492319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00492355
GetCursorPos.USER32(?), ref: 00492381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004923DF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction ID: bda8f7bd6a7f8d7156a8f373fab8ae418e43ecd8c114459a1b6a3ef742074e25
Opcode Fuzzy Hash: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction Fuzzy Hash: C931E672505315AFCB20DF25C845B5B7BE9FF89314F00092EF98597181DB78E908CB95

Function 00489B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00489B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00489C8B

Part of subcall function 00483874: GetInputState.USER32 ref: 004838CB
Part of subcall function 00483874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00489BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00489C75

Strings

*.*, xrefs: 00489B5D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction ID: 49a0db4858c119d05f826541f64bd1c1de7c45d6420c29d4adb679eba4af7771
Opcode Fuzzy Hash: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction Fuzzy Hash: 2941B3719006099FDF15EF64C889AEE7BF4FF05310F24445BE805A2291EB39AE84CF68

Function 0042997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00429A4E
GetSysColor.USER32(0000000F), ref: 00429B23
SetBkColor.GDI32(?,00000000), ref: 00429B36

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction ID: f33e99569ca7314aa580f14835c56f0e6487d477b6a2df7b9c28cc2b4582c339
Opcode Fuzzy Hash: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction Fuzzy Hash: 45A12D703085A0BEE724AA2DAC98D7B295DEF43358F54411FF402C6792DA2D9D42C27F

Function 00491806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0049185D
WSAGetLastError.WSOCK32 ref: 00491884
bind.WSOCK32(00000000,?,00000010), ref: 004918DB
WSAGetLastError.WSOCK32 ref: 004918E6
closesocket.WSOCK32(00000000), ref: 00491915

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction ID: 61dfaf6aaed178368c8f86e4d8af9b38a4c53dc191049b18f6dc8a06e67cc523
Opcode Fuzzy Hash: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction Fuzzy Hash: 6251B171A00210AFDB10EF24C886F6A7BE5AB45718F04809DF9155F3D3C779ED428BA5

Function 004A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004A1CC0
IsWindowEnabled.USER32 ref: 004A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004A1CDB
IsIconic.USER32 ref: 004A1CE9
IsZoomed.USER32 ref: 004A1CF7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction ID: 1b582f708d5333429c38d7c272864bafcb15e379d6e87731d89e9730ec1cd216
Opcode Fuzzy Hash: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction Fuzzy Hash: A52197317406115FE7208F1AD884B677BE5EFA6325F19806EE846CB361C779EC42CB98

Function 00418060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00455DF0
VUUU, xrefs: 004183E8
ERCP, xrefs: 0041813C
VUUU, xrefs: 004183FA
VUUU, xrefs: 0041843C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction ID: dcac04e15f16dcd5f4ad99a31405ad59be15cef23d9735500cacf7078ae58de4
Opcode Fuzzy Hash: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction Fuzzy Hash: 00A28C70A0061ACBDF24CF58C9507EEB7B1AB54311F25819BEC15A7382EB389DC5CB99

Function 00478298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004782AA

Strings

|, xrefs: 004782DA
(, xrefs: 004782F0
tbM, xrefs: 004784F4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbM$|
API String ID: 1659193697-2959561728
Opcode ID: 1f3107bc233b6917bffc585d16fca7ab5a95f20a43e32632d3a738617f4ba5bb
Instruction ID: 26f52a6da03ec17fb982b3d23b80084894bb90065f382fbebe4ab9c652514ebc
Opcode Fuzzy Hash: 1f3107bc233b6917bffc585d16fca7ab5a95f20a43e32632d3a738617f4ba5bb
Instruction Fuzzy Hash: 2C324674A007059FCB28CF19C484AAAB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 0047AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0047AAAC
SetKeyboardState.USER32(00000080), ref: 0047AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0047AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0047AB88

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction ID: d047cb36b58012327e03cf793e2875beafb4bef4af9709bef7950b2e43ec58b9
Opcode Fuzzy Hash: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction Fuzzy Hash: E831FB30A40204AEFB25CA65C805BFF7BA6ABC5310F04C21BF289552D1D37CA965C75B

Function 0048CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0048CE89
GetLastError.KERNEL32(?,00000000), ref: 0048CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0048CEFE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction ID: 7f7814d51e181b2f6b9beb3ab883d1bc04334b89ad5f6d1789026b9788c9685f
Opcode Fuzzy Hash: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction Fuzzy Hash: 752192719003059BE730EF55D984BAB77F8EB51354F10482FE64692291D778ED058B68

Function 00485C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00485CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00485D17
FindClose.KERNEL32(?), ref: 00485D5F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 84f86bb209615a9e86f169a691e9267b644bf16b9ba532a07f7d90a7f9662fdf
Instruction ID: 17d6ded8bbdfeb055e7ab827c6b7c8d2470d14081125e9846a0701b152a51fdc
Opcode Fuzzy Hash: 84f86bb209615a9e86f169a691e9267b644bf16b9ba532a07f7d90a7f9662fdf
Instruction Fuzzy Hash: 6251AA346046019FC714DF28C494A9AB7E4FF49318F14895EE95A8B3A1CB38EC45CF95

Function 00442622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0044271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00442724
UnhandledExceptionFilter.KERNEL32(?), ref: 00442731

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction ID: f0a91f49a73f4d2670ce6a8201a05471ec36f34d493f05d08f924ae8020d6c70
Opcode Fuzzy Hash: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction Fuzzy Hash: F431D67490121C9BCB21DF65DD897DDBBB8AF08310F5042EAE80CA7260E7749F818F48

Function 004851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00485238
SetErrorMode.KERNEL32(00000000), ref: 004852A1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction ID: b46b3ddad400828f7b0c3bd4e6fbbc9f4f51c2a9c9057384e1868e1abc44f79b
Opcode Fuzzy Hash: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction Fuzzy Hash: 1F314F75A00518DFDB00EF55D8C4EADBBB4FF49318F04849AE8059B392DB35E856CB54

Function 004716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430668
Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
GetLastError.KERNEL32 ref: 0047174A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d6759744601ebbdabb8cd3e76b1f565d2232adab4d7a3dec0a667158343e4808
Instruction ID: 18fc88071497311a0cba97fe41d400e6cfb07f12cfe12254bab8d2776a0ad4d1
Opcode Fuzzy Hash: d6759744601ebbdabb8cd3e76b1f565d2232adab4d7a3dec0a667158343e4808
Instruction Fuzzy Hash: E811C1B2514304AFD7189F54ECC6DABBBBDEB04714B60C52EE05693251EB74BC418B68

Function 0047D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0047D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D650

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction ID: b5a699aacca66e5602bb2e1963d6860e8a37be59f87fb75179525ac0aaec123b
Opcode Fuzzy Hash: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction Fuzzy Hash: 24117C71E01228BBDB108F949C84FAFBFBCEB45B50F108122F908E7290D6704A018BA5

Function 00471663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0047168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004716A1
FreeSid.ADVAPI32(?), ref: 004716B1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction ID: 0e2bef568d4ae50979519424c85f10ed086d26084bc358bcbfc30b265d87147d
Opcode Fuzzy Hash: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction Fuzzy Hash: FAF0F47195030DFBDB00DFE49C89EAEBBBCEB09604F508565E501E2191E774AA448A54

Function 0044C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0044C36C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction ID: 8369cdf84fbea0b1922c9144b817f9f71b20c85c1454a9d6c02d077b6d318009
Opcode Fuzzy Hash: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction Fuzzy Hash: 164149729012196FDB209FB9CC88EBB77B9EB84314F1442AEF905C7280E6749D41CB58

Function 0046D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0046D28C

Strings

X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction ID: ed0a3ed3a20f4c6a0c6a86f509358568946b49f33e52ce0ab44c71645a3f08ea
Opcode Fuzzy Hash: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction Fuzzy Hash: FAD0C9B4D0516DEACB90CB90ECC8DD9B77CBB04305F100192F106A2000DB3495498F15

Function 0043CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93108dced47ae960ecb6207f19bdd7daf14b010d4f522f71b178ba6952163ed0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 25021D72E002199BDF14CFA9C9C06AEFBF1EF48314F25916AD819F7384D735AA418B94

Function 0041CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00460C40
p#N, xrefs: 0041CF7F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#N
API String ID: 0-3233274810
Opcode ID: c758f5d67d77f277a1f363d3eca551ca7fc69e5f37f305e31ba0af17a94627e0
Instruction ID: eaf1ae8991d39c9fd18ce6b6a1c7b5a3536a6b9310fb3bb73bb85a732cb4285a
Opcode Fuzzy Hash: c758f5d67d77f277a1f363d3eca551ca7fc69e5f37f305e31ba0af17a94627e0
Instruction Fuzzy Hash: 77328E70940218DBDF14DF90D981AEEB7B5FF04308F14405BE806AB392E779AD86CB5A

Function 004868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00486918
FindClose.KERNEL32(00000000), ref: 00486961

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction ID: 9d71941b85c6fcdba99199f5a1609a0b72cbea65a5800d56cdd19460d75f049e
Opcode Fuzzy Hash: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction Fuzzy Hash: 621181716042009FD710DF29D8C4A1ABBE5EF85328F15C6AEE4698F7A2C734EC45CB95

Function 004837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837F4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction ID: 9eeae545dbadd5be335424df86c9b4d180ad6a20f6f13cbd3374a379a3265c39
Opcode Fuzzy Hash: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction Fuzzy Hash: 8FF0EC71A042142AD75027664C4DFDB7A9DDFC5B65F000176F505D2291D9609D44C7F8

Function 0047B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0047B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0047B270

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction ID: 27d8c012cca1ca3818a3cc571a97bf8d54cc97717b1acda51ea59f53da98aea9
Opcode Fuzzy Hash: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction Fuzzy Hash: 9AF01D7580424EABDB059FA0C805BFE7FB4FF09309F00805AF955A5192C37986119F98

Function 004710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2f06a02423cc23f8f71f895ba6cd15a06b5b6ab1099f6c8d9170ae763e71d167
Instruction ID: 99b901fce3db8f87312295d95c22310121ec12dc42d2ff0e07c4f11101fcbfc5
Opcode Fuzzy Hash: 2f06a02423cc23f8f71f895ba6cd15a06b5b6ab1099f6c8d9170ae763e71d167
Instruction Fuzzy Hash: D3E04F32018610AEE7252B61FC05EB37BA9EF04310B10883EF4A6804B1DB626C90DB58

Function 0044676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00446766,?,?,00000008,?,?,0044FEFE,00000000), ref: 00446998

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction ID: d393cb3b16803b487488d236cd6f9d7c94727054d244dfda872452f66f586e50
Opcode Fuzzy Hash: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction Fuzzy Hash: DDB16E71610608DFE715CF28C486B657BE0FF46364F268659E899CF3A2C339D982CB46

Function 0042B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0046851F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction ID: 76232ba2bdb4dd4a55621ba40e147716257af1688b8bdec1df18873947bd21c7
Opcode Fuzzy Hash: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction Fuzzy Hash: 07126F71A002299BCB14DF58D8806EEB7B5FF48310F54819BE849EB355EB389E81CF95

Function 0048EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0048EABD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction ID: 1781a261ba94e53d80adcaf363e293251e87bf873f1f1829f6dab33583834531
Opcode Fuzzy Hash: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction Fuzzy Hash: 1BE01A31200204AFC710EF5AD844E9ABBE9AF98764F00842BFC49C7391DA74E8818B95

Function 004309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004303EE), ref: 004309DA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction ID: 991ab77617efdda4c5f72285da7c0ec40fb0d159deb7bbb2cff1c3768c8cb150
Opcode Fuzzy Hash: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction Fuzzy Hash:

Function 0043781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043798B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 110126e8969a0e9dd53842a00397caa192adff14845f88466a9de7126b6a3ff4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DF5134E160C7456AEB3C6629449A7BF67859F0E344F183A0FE8C287382C61DDE02D35E

Function 00482046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&N, xrefs: 00482053

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0&N
API String ID: 0-2307969841
Opcode ID: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction ID: 5a794de70105e9bdb6ded61bf82c1de75a8d5c1544ed8ab870e91f3ec8027bfd
Opcode Fuzzy Hash: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction Fuzzy Hash: 8421EB326206118BDB28CF79C91367E73E9A754310F148A2EE4A7C73D1DEB9A904C784

Function 00446DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction ID: 881136962dc75cc9bf3f34b6bc7bcc0ca3eb2d6e1765fa22485b7ef371f1c26b
Opcode Fuzzy Hash: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction Fuzzy Hash: 8F323521D29F014EEB239635CD22336A64DAFB73C5F15D737E81AB5EA5EB68C4834104

Function 0042CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction ID: c51d29c05a9ec3443fe24ba45c0e2700ca34eacb9bb1c584056eba32015b3e1f
Opcode Fuzzy Hash: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction Fuzzy Hash: 2A32E131B001558BDF28CE69D4D467E7BA1AF45300F68816BD4DA9B391F23C9E82DB4B

Function 00417920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46315ff4d06abdf6c409ee17110306186bde2a3f13c2425008bcaf872b44c1d3
Instruction ID: e79187e9489bcf6a0213a319a3d41cb664b3c4e337d71a61c055d85dfabdbe0e
Opcode Fuzzy Hash: 46315ff4d06abdf6c409ee17110306186bde2a3f13c2425008bcaf872b44c1d3
Instruction Fuzzy Hash: 7222F1B0A04609DFDF04CF65C991AFEB3B5FF48304F10412AE816A7291EB39AD55CB59

Function 004191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4444f9a0391d09c9fe50618b9d038a363dd65db3eec8be7b969609c09527e23a
Instruction ID: c4ea14548b8f248bac80e692cb8833e04a3c248062f6c23e961347b75e32532f
Opcode Fuzzy Hash: 4444f9a0391d09c9fe50618b9d038a363dd65db3eec8be7b969609c09527e23a
Instruction Fuzzy Hash: 0102F6B0E00109EBCB05DF65D981AAEB7B1FF44304F50816AE816DB391E739EE55CB89

Function 00449EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985c991bc033f74a7c532f2352aa882db713a6ed12624c534da32706451a2290
Instruction ID: 079241d686458ae519cec04d320dcdebed1900bfd42149ffe0d8f6bdec5cbed8
Opcode Fuzzy Hash: 985c991bc033f74a7c532f2352aa882db713a6ed12624c534da32706451a2290
Instruction Fuzzy Hash: 33B10720D2AF504ED7239A398871337B69C6FB76D6F51E72BFC1674D22EB2185834144

Function 00431C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 88aa4d5110643c649ddbc04e2564b90e9b6b4898e293fa57585c52177d949e86
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EF9198721080A34ADB29423E853503FFFE15E563B1B1A279FD4F2CA2E1FE18D954D624

Function 004319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 22f1bcf4688c62c16413c403157820c39866a4f555445a4a06d86e54ad177b84
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F291C6722090E30ADB2D427A847403FFFE14A963B2B1A279FD4F2CA2E1FD18D555D624

Function 00437A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction ID: 0ab1eda3c4a2fc816106b00c2e7bdc9c09070e2be8bb8df06286ae26a1288aaa
Opcode Fuzzy Hash: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction Fuzzy Hash: AC613AE120874956DA34AA2848957BFB3A4DF4D718F14391FF8C2DB382D61DAE42C35E

Function 00437CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction ID: b2a439f55ce16124dc78880318638c415f119d223588e3b7d968c0c4349d371b
Opcode Fuzzy Hash: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction Fuzzy Hash: E1616BF120870966DE385A289892BBF63949F4D744F20395FF9C3DB381D61E9D42825E

Function 00431706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 769b7f0385c46742cd252e659e0394e639662515a03f0afdc5151e829fa24050
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0F8196725080A309DB2D423A857443FFFE15E963A1B1E179FD4F2CA2E1EE18C554D628

Function 00492ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00492B30
DeleteObject.GDI32(00000000), ref: 00492B43
DestroyWindow.USER32 ref: 00492B52
GetDesktopWindow.USER32 ref: 00492B6D
GetWindowRect.USER32(00000000), ref: 00492B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00492CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00492CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492CF8
GetClientRect.USER32(00000000,?), ref: 00492D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00492D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D80
GlobalLock.KERNEL32(00000000), ref: 00492D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D98
GlobalUnlock.KERNEL32(00000000), ref: 00492DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DA8
GlobalFree.KERNEL32(00000000), ref: 00492DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004AFC38,00000000), ref: 00492DDB
GlobalFree.KERNEL32(00000000), ref: 00492DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00492E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00492E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0049303F

Strings

DISPLAY, xrefs: 00492EA2
static, xrefs: 00492D3A, 00492E91
, xrefs: 00492FC5
AutoIt v3, xrefs: 00492CF2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction ID: ffe006199e9f278330d7a5bd163bf6eceddee57d23d595ee7ffd9f292397d65f
Opcode Fuzzy Hash: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction Fuzzy Hash: 8B027D71A00205AFDB14DF64CD89EAE7FB9EF49314F008169F915AB2A1DB74AD01CF68

Function 004A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004A712F
GetSysColorBrush.USER32(0000000F), ref: 004A7160
GetSysColor.USER32(0000000F), ref: 004A716C
SetBkColor.GDI32(?,000000FF), ref: 004A7186
SelectObject.GDI32(?,?), ref: 004A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004A71C0
GetSysColor.USER32(00000010), ref: 004A71C8
CreateSolidBrush.GDI32(00000000), ref: 004A71CF
FrameRect.USER32(?,?,00000000), ref: 004A71DE
DeleteObject.GDI32(00000000), ref: 004A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004A7230
FillRect.USER32(?,?,?), ref: 004A7262
GetWindowLongW.USER32(?,000000F0), ref: 004A7284

Part of subcall function 004A73E8: GetSysColor.USER32(00000012), ref: 004A7421
Part of subcall function 004A73E8: SetTextColor.GDI32(?,?), ref: 004A7425
Part of subcall function 004A73E8: GetSysColorBrush.USER32(0000000F), ref: 004A743B
Part of subcall function 004A73E8: GetSysColor.USER32(0000000F), ref: 004A7446
Part of subcall function 004A73E8: GetSysColor.USER32(00000011), ref: 004A7463
Part of subcall function 004A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
Part of subcall function 004A73E8: SelectObject.GDI32(?,00000000), ref: 004A7482
Part of subcall function 004A73E8: SetBkColor.GDI32(?,00000000), ref: 004A748B
Part of subcall function 004A73E8: SelectObject.GDI32(?,?), ref: 004A7498
Part of subcall function 004A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
Part of subcall function 004A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
Part of subcall function 004A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7e3ba27dfc4fceb1822dc7db107000eb912b1216b2826e502d08f3a45506fba6
Instruction ID: f9750ebc21ed2f779264fe058ba64ec8d91ebe6f7ce6eb81098d1e806a156fdc
Opcode Fuzzy Hash: 7e3ba27dfc4fceb1822dc7db107000eb912b1216b2826e502d08f3a45506fba6
Instruction Fuzzy Hash: 21A1B072508311BFDB509F60DC88A6B7BE9FF4A320F100A29F962961E1D734E945CF56

Function 00428D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00428E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00466AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00466AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00466F43

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

SendMessageW.USER32(?,00001053), ref: 00466F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00466F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FB7

Strings

0, xrefs: 00466DCF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction ID: e85ca2b2c90c6feb97eea3cbf86d1acb8bcee936fe23978b98dc5e39ab1ebc98
Opcode Fuzzy Hash: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction Fuzzy Hash: 2312AD30201261EFD725CF14D884BAABBE5FB45300F56446EF485CB262DB39AC52CF9A

Function 00492711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0049273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0049286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00492900
GetClientRect.USER32(00000000,?), ref: 0049290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00492955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00492964
GetStockObject.GDI32(00000011), ref: 00492974
SelectObject.GDI32(00000000,00000000), ref: 00492978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00492988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492991
DeleteDC.GDI32(00000000), ref: 0049299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00492A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00492A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00492A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00492A77
GetStockObject.GDI32(00000011), ref: 00492A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00492A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00492A97

Strings

DISPLAY, xrefs: 0049295A
msctls_progress32, xrefs: 00492A13
static, xrefs: 0049294F, 00492A71
AutoIt v3, xrefs: 004928F8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction ID: ac55f365a4a78227d321ccebc7043afebb5a7eabf6cfe2735ba8c94126c14207
Opcode Fuzzy Hash: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction Fuzzy Hash: BFB16D71A40215BFEB14DFA8CD85FAF7BA9EB05714F004129F914EB2A1D774AD40CBA8

Function 00484ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484AED
GetDriveTypeW.KERNEL32(?,004ACB68,?,\\.\,004ACC08), ref: 00484BCA
SetErrorMode.KERNEL32(00000000,004ACB68,?,\\.\,004ACC08), ref: 00484D36

Strings

USB, xrefs: 00484CB4
FileBackedVirtual, xrefs: 00484CEC
MMC, xrefs: 00484CDE
Fibre, xrefs: 00484CAD
SCSI, xrefs: 00484C8A
ATAPI, xrefs: 00484C91
SATA, xrefs: 00484CD0
\\.\, xrefs: 00484B3F
SAS, xrefs: 00484CC9
1394, xrefs: 00484C9F
Network, xrefs: 00484C02
RAMDisk, xrefs: 00484BF4
ATA, xrefs: 00484C98
Fixed, xrefs: 00484C09
SSA, xrefs: 00484CA6
CDROM, xrefs: 00484BFB
PhysicalDrive, xrefs: 00484B76
RAID, xrefs: 00484CBB
SSD, xrefs: 00484C4A
iSCSI, xrefs: 00484CC2
Removable, xrefs: 00484C10, 00484C15
Unknown, xrefs: 00484BED, 00484C83
Virtual, xrefs: 00484CE5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction ID: 427a2dd218af584eb15e7a214791de95c45331cfc946f5d6ba2a1a272927d42f
Opcode Fuzzy Hash: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction Fuzzy Hash: 8161C2307011079BCB04FF24C991AADB7A5AB84744B22881BF806AB751DB7DED42DB5E

Function 004A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004A7421
SetTextColor.GDI32(?,?), ref: 004A7425
GetSysColorBrush.USER32(0000000F), ref: 004A743B
GetSysColor.USER32(0000000F), ref: 004A7446
CreateSolidBrush.GDI32(?), ref: 004A744B
GetSysColor.USER32(00000011), ref: 004A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
SelectObject.GDI32(?,00000000), ref: 004A7482
SetBkColor.GDI32(?,00000000), ref: 004A748B
SelectObject.GDI32(?,?), ref: 004A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004A7572
DrawFocusRect.USER32(?,?), ref: 004A757D
GetSysColor.USER32(00000011), ref: 004A758E
SetTextColor.GDI32(?,00000000), ref: 004A7596
DrawTextW.USER32(?,004A70F5,000000FF,?,00000000), ref: 004A75A8
SelectObject.GDI32(?,?), ref: 004A75BF
DeleteObject.GDI32(?), ref: 004A75CA
SelectObject.GDI32(?,?), ref: 004A75D0
DeleteObject.GDI32(?), ref: 004A75D5
SetTextColor.GDI32(?,?), ref: 004A75DB
SetBkColor.GDI32(?,?), ref: 004A75E5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 62cfe1381b38b71ccb6e936f21ed0db56e0524fea45440ced7ba65b98672198b
Instruction ID: 08a8fdc4e1a997d8656ee657d41150064e53ff0c03ac1a4196fc342feacf585f
Opcode Fuzzy Hash: 62cfe1381b38b71ccb6e936f21ed0db56e0524fea45440ced7ba65b98672198b
Instruction Fuzzy Hash: 41615F72D04218BFDF119FA4DC89AAE7FB9EB0A320F114125F915AB2A1D7749940CF94

Function 004A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004A1128
GetDesktopWindow.USER32 ref: 004A113D
GetWindowRect.USER32(00000000), ref: 004A1144
GetWindowLongW.USER32(?,000000F0), ref: 004A1199
DestroyWindow.USER32(?), ref: 004A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004A1245
IsWindowVisible.USER32(00000000), ref: 004A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004A12D0
GetWindowRect.USER32(00000000,?), ref: 004A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004A130E
GetMonitorInfoW.USER32(00000000,?), ref: 004A1328
CopyRect.USER32(?,?), ref: 004A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004A13AA

Strings

(, xrefs: 004A131B
tooltips_class32, xrefs: 004A11E6
0, xrefs: 004A10D3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction ID: 0ffc2c64c37b8490d36b32f9974f36d28d8c94be82043d8f3acc072a01946b38
Opcode Fuzzy Hash: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction Fuzzy Hash: 94B1AE71608340AFD700DF65C884BABBBE4FF99354F00891EF9999B261C735E845CB99

Function 004A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A02E5
_wcslen.LIBCMT ref: 004A031F
_wcslen.LIBCMT ref: 004A0389
_wcslen.LIBCMT ref: 004A03F1
_wcslen.LIBCMT ref: 004A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A0504

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 0047223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00472258
Part of subcall function 0047223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0047228A

Strings

DESELECT, xrefs: 004A059C
GETTEXT, xrefs: 004A03EC, 004A0407
FINDITEM, xrefs: 004A0627
GETSUBITEMCOUNT, xrefs: 004A0384, 004A039F
GETSELECTED, xrefs: 004A05E1
GETSELECTEDCOUNT, xrefs: 004A0470, 004A048B
VIEWCHANGE, xrefs: 004A0675
SELECTINVERT, xrefs: 004A057E
GETITEMCOUNT, xrefs: 004A0316, 004A0337
ISSELECTED, xrefs: 004A04DD
SELECTALL, xrefs: 004A0515
SELECT, xrefs: 004A0548
SELECTCLEAR, xrefs: 004A052D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction ID: 18ae399115aa6f0accb2650a70511161145c9c3628812edb00ffb1e0d68a9a9c
Opcode Fuzzy Hash: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction Fuzzy Hash: 9FE1D3312082009FC714DF25C55096BB3E2BFA9718F54496FF8969B391D738ED45CB8A

Function 00428891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00428968
GetSystemMetrics.USER32(00000007), ref: 00428970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042899B
GetSystemMetrics.USER32(00000008), ref: 004289A3
GetSystemMetrics.USER32(00000004), ref: 004289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00428A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00428A3C
GetClientRect.USER32(00000000,000000FF), ref: 00428A5A
GetStockObject.GDI32(00000011), ref: 00428A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00428A81

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

SetTimer.USER32(00000000,00000000,00000028,004290FC), ref: 00428AA8

Strings

AutoIt v3 GUI, xrefs: 00428A20

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5f8ba771d19987adb07de9170ad83bdb939ca2147108a9e47d0a27ffd58f4270
Instruction ID: f0d2f4109e6c040b0ed59e70fe219348a0646202f3286822d3bfbae8bd7143cb
Opcode Fuzzy Hash: 5f8ba771d19987adb07de9170ad83bdb939ca2147108a9e47d0a27ffd58f4270
Instruction Fuzzy Hash: 6DB1A171A002199FDB14DF68DC85BAE3BB5FB48315F11422AFA05EB290DB38E841CF59

Function 00470D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470E29
GetLengthSid.ADVAPI32(?), ref: 00470E40
GetAce.ADVAPI32(?,00000000,?), ref: 00470E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470E96
GetLengthSid.ADVAPI32(?), ref: 00470EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470EB5
HeapAlloc.KERNEL32(00000000), ref: 00470EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470EDD
CopySid.ADVAPI32(00000000), ref: 00470EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F6E
HeapFree.KERNEL32(00000000), ref: 00470F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F7E
HeapFree.KERNEL32(00000000), ref: 00470F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F8E
HeapFree.KERNEL32(00000000), ref: 00470F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00470FA1
HeapFree.KERNEL32(00000000), ref: 00470FA8

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction ID: 7099d9c0095d656a1b53d86a66b4f77c82821f2cff5746ffa2e987abacfeea12
Opcode Fuzzy Hash: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction Fuzzy Hash: 60714CB290520AEBDB20DFA5DC44BEFBBB8BF05300F148126F919B6291D7759905CF68

Function 0049C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ACC08,00000000,?,00000000,?,?), ref: 0049C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0049C5A4
_wcslen.LIBCMT ref: 0049C5F4
_wcslen.LIBCMT ref: 0049C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0049C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0049C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0049C84D
RegCloseKey.ADVAPI32(?), ref: 0049C881
RegCloseKey.ADVAPI32(00000000), ref: 0049C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0049C960

Strings

REG_MULTI_SZ, xrefs: 0049C6F5
REG_DWORD, xrefs: 0049C804
REG_QWORD, xrefs: 0049C8C3
REG_EXPAND_SZ, xrefs: 0049C5CD
REG_BINARY, xrefs: 0049C913
REG_SZ, xrefs: 0049C644

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ea4ac931ed11933e21a7c83c2425bb7c7770304952f3a236188610cfefbc7cdd
Instruction ID: 4da2fe471f31ca3bfbd45d4141142f24a7ff825f6c59403002ef929b4aecf9e9
Opcode Fuzzy Hash: ea4ac931ed11933e21a7c83c2425bb7c7770304952f3a236188610cfefbc7cdd
Instruction Fuzzy Hash: ED1280312042019FDB14DF15C491A6ABBE5FF88358F05886EF8499B3A2DB39FC41CB89

Function 004A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A09C6
_wcslen.LIBCMT ref: 004A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A0A54
_wcslen.LIBCMT ref: 004A0A8A
_wcslen.LIBCMT ref: 004A0B06
_wcslen.LIBCMT ref: 004A0B81

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 00472BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00472BFA

Strings

GETTEXT, xrefs: 004A0C97
GETTOTALCOUNT, xrefs: 004A09F2, 004A0A17
GETITEMCOUNT, xrefs: 004A0C1E
EXISTS, xrefs: 004A0B7C, 004A0B97
ISCHECKED, xrefs: 004A0CE1
GETSELECTED, xrefs: 004A0C4E
UNCHECK, xrefs: 004A0D3E
COLLAPSE, xrefs: 004A0B01, 004A0B1C
CHECK, xrefs: 004A0A85, 004A0AA0
SELECT, xrefs: 004A0D11
EXPAND, xrefs: 004A0BF8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction ID: 71bb98aa1d0cb647c24a067f9355aa1627f251d85bc7f1c45857d5aefb18cbd5
Opcode Fuzzy Hash: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction Fuzzy Hash: 13E1D1712083019FC714DF25C45096AB7E2BFA9318F50895FF8999B3A2D738ED45CB8A

Function 0049C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
_wcslen.LIBCMT ref: 0049C9F1
_wcslen.LIBCMT ref: 0049CA68
_wcslen.LIBCMT ref: 0049CA9E
_wcslen.LIBCMT ref: 0049CAF9
_wcslen.LIBCMT ref: 0049CB2F
_wcslen.LIBCMT ref: 0049CB7F

Strings

HKCR, xrefs: 0049CB29, 0049CB2E
HKEY_USERS, xrefs: 0049CBDF
HKEY_CURRENT_CONFIG, xrefs: 0049CB79, 0049CB7E
HKCC, xrefs: 0049CBAC
HKEY_CLASSES_ROOT, xrefs: 0049CAF3, 0049CAF8
HKEY_LOCAL_MACHINE, xrefs: 0049CA62, 0049CA67
HKEY_CURRENT_USER, xrefs: 0049CBBD
HKLM, xrefs: 0049CA98, 0049CA9D
HKCU, xrefs: 0049CBCE
HKU, xrefs: 0049CBF0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction ID: d5d863f6c86e870ab54e73c1e16bf93cde290a1e23b92c2b14424a1a4fa95069
Opcode Fuzzy Hash: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction Fuzzy Hash: 3071023260012A8BCF20DE78D9D16BF3B91AFA4764B50453BE85697384E63CDD8583AC

Function 004A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A835A
_wcslen.LIBCMT ref: 004A836E
_wcslen.LIBCMT ref: 004A8391
_wcslen.LIBCMT ref: 004A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004A5BF2), ref: 004A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8501
FreeLibrary.KERNEL32(?), ref: 004A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004A851D
DestroyIcon.USER32(?,?,?,?,?,004A5BF2), ref: 004A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004A8555

Strings

.exe, xrefs: 004A8388
.icl, xrefs: 004A8368
.dll, xrefs: 004A83AB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction ID: 87c3c71bab557bf3440b5ae3ca86f648046470f02ca5c71676a4d27e303ff600
Opcode Fuzzy Hash: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction Fuzzy Hash: E061DF71900215BEEB14DF64CC81BFF7BA8FB19720F10451AF815DA1D1EB78A980CBA8

Function 00417778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 004178D9
#ce, xrefs: 004178ED
Unterminated group of comments, xrefs: 0045528C
Bad directive syntax error, xrefs: 0045519A
Cannot parse #include, xrefs: 00455279
#pragma compile, xrefs: 004177D3
#comments-start, xrefs: 0041785F, 004178B1
#cs, xrefs: 00417873, 004178C5
#include-once, xrefs: 0041782F
', xrefs: 00455169
#notrayicon, xrefs: 004177E7
#OnAutoItStartRegister, xrefs: 00417817
#requireadmin, xrefs: 004177FF
#include, xrefs: 00417847
", xrefs: 00455153

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 21c0a4db85087019c27a5669bc44e6d4c5a30fe63eb901d03337d645ae29b811
Instruction ID: 9163805a9ffd9d5412d66ca13c160e931ca9fb4f2aefb45c61f1c69912936ce9
Opcode Fuzzy Hash: 21c0a4db85087019c27a5669bc44e6d4c5a30fe63eb901d03337d645ae29b811
Instruction Fuzzy Hash: B681F470A40605ABDB20AF61DC52FEF7B74AF15304F04402BF805AA292EB7CD985C79D

Function 00483E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00483EF8
_wcslen.LIBCMT ref: 00483F03
_wcslen.LIBCMT ref: 00483F5A
_wcslen.LIBCMT ref: 00483F98
GetDriveTypeW.KERNEL32(?), ref: 00483FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0048401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00484059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00484087

Strings

closed, xrefs: 00483F08, 00483F2D, 00483F46, 00483F7E, 00483F97
open , xrefs: 00483FE5
set cd door , xrefs: 00484028
wait, xrefs: 00484044
type cdaudio alias cd wait, xrefs: 00484001
close, xrefs: 00483EFE, 00483F18
close cd wait, xrefs: 00484072
open, xrefs: 00483F54, 00483F59

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b726c860f32b7690b1632d17fb7119f0f0fd9924b106f2dd857fb5e4f43bb1ef
Instruction ID: 71e3a7638ec9c3419b363a39a2abbf3ea2d0218442d8a22f393c237894bea0b1
Opcode Fuzzy Hash: b726c860f32b7690b1632d17fb7119f0f0fd9924b106f2dd857fb5e4f43bb1ef
Instruction Fuzzy Hash: 6471AC316042129FC310EF24C8909AFB7E4EF99B58B10492FFA9597251EB38ED45CB99

Function 00475A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00475A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00475A40
SetWindowTextW.USER32(?,?), ref: 00475A57
GetDlgItem.USER32(?,000003EA), ref: 00475A6C
SetWindowTextW.USER32(00000000,?), ref: 00475A72
GetDlgItem.USER32(?,000003E9), ref: 00475A82
SetWindowTextW.USER32(00000000,?), ref: 00475A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00475AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00475AC3
GetWindowRect.USER32(?,?), ref: 00475ACC
_wcslen.LIBCMT ref: 00475B33
SetWindowTextW.USER32(?,?), ref: 00475B6F
GetDesktopWindow.USER32 ref: 00475B75
GetWindowRect.USER32(00000000), ref: 00475B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00475BD3
GetClientRect.USER32(?,?), ref: 00475BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00475C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00475C2F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction ID: d68c9926c70e6a31f208645eeaef471f8df6a7d1c520532eabc3135bfbba4c8e
Opcode Fuzzy Hash: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction Fuzzy Hash: CE718231900B059FDB20DFA8CE85AAFBBF5FF48704F104529E146A66A0D7B4F944CB54

Function 0048FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0048FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0048FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0048FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0048FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0048FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0048FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0048FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0048FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0048FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0048FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0048FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0048FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0048FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0048FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0048FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0048FECC
GetCursorInfo.USER32(?), ref: 0048FEDC
GetLastError.KERNEL32 ref: 0048FF1E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1cae7388290d62eb1e9138eb1ab7b6de09495a8b3acbfb82c8e11b89813763ed
Instruction ID: f024c8a07490e52d5bf28ffbe9aa5142c39de002ac0c7f767aa7bf45c1c17f68
Opcode Fuzzy Hash: 1cae7388290d62eb1e9138eb1ab7b6de09495a8b3acbfb82c8e11b89813763ed
Instruction Fuzzy Hash: D34131B0D443196ADB10DFBA8C8985EBFE8FF04754B50452BE21DE7281DB78E9018F95

Function 004730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047318D
_wcslen.LIBCMT ref: 004731F8

Strings

NAME, xrefs: 00473335, 00473346
CLASSNN, xrefs: 004731F3, 00473204
CLASS, xrefs: 00473188, 004731A5
INSTANCE, xrefs: 00473453
[M, xrefs: 0047339A
TEXT, xrefs: 0047347C
REGEXPCLASS, xrefs: 00473255, 00473266

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[M
API String ID: 176396367-3897780819
Opcode ID: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction ID: aa63f2a369256b94df989cc275171d9e3d6b15e2fc1709ac387eae9b27f71ea6
Opcode Fuzzy Hash: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction Fuzzy Hash: 90E1E432A00516ABCB289F74C4517EEBBB0BF44715F54C12BE45AB7340DF38AE85A798

Function 004300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004300C6

Part of subcall function 004300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004E070C,00000FA0,97D98A76,?,?,?,?,004523B3,000000FF), ref: 0043011C
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004523B3,000000FF), ref: 00430127
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004523B3,000000FF), ref: 00430138
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0043014E
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0043015C
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0043016A
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00430195
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004301A0

___scrt_fastfail.LIBCMT ref: 004300E7

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

Strings

kernel32.dll, xrefs: 00430133
WakeAllConditionVariable, xrefs: 00430162
InitializeConditionVariable, xrefs: 00430148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00430122
SleepConditionVariableCS, xrefs: 00430154

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction ID: d4bd76f16599715a784a70480cebc38e1d83c7f5d8cb9fa6486302071be1f816
Opcode Fuzzy Hash: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction Fuzzy Hash: 2E21FC32B447106BDB116BA5AC55B6A77E4DB1AB61F10033BF801A7791DBBD5C008A9C

Function 004844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004ACC08), ref: 00484527
_wcslen.LIBCMT ref: 0048453B
_wcslen.LIBCMT ref: 00484599
_wcslen.LIBCMT ref: 004845F4
_wcslen.LIBCMT ref: 0048463F
_wcslen.LIBCMT ref: 004846A7

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

GetDriveTypeW.KERNEL32(?,004D6BF0,00000061), ref: 00484743

Strings

cdrom, xrefs: 0048458F, 00484594
ramdisk, xrefs: 004846F1
network, xrefs: 0048469D, 004846A2
all, xrefs: 00484531, 00484536
removable, xrefs: 004845EA, 004845EF
unknown, xrefs: 00484708
fixed, xrefs: 00484635, 0048463A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction ID: 0698786d47ba9e68c8ff4849903cbcedee9b381c6aae5198ddae73ed37c08107
Opcode Fuzzy Hash: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction Fuzzy Hash: BFB1DE316083029BC310EF29C890A6FB7E5AFE5724F504D1FF59697291E738E845CB5A

Function 004A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DragQueryPoint.SHELL32(?,?), ref: 004A9147

Part of subcall function 004A7674: ClientToScreen.USER32(?,?), ref: 004A769A
Part of subcall function 004A7674: GetWindowRect.USER32(?,?), ref: 004A7710
Part of subcall function 004A7674: PtInRect.USER32(?,?,004A8B89), ref: 004A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9277
DragFinish.SHELL32(?), ref: 004A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004A9371

Strings

@GUI_DRAGFILE, xrefs: 004A9320
@GUI_DRAGID, xrefs: 004A92E9
@GUI_DROPID, xrefs: 004A929E
p#N, xrefs: 004A92BB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#N
API String ID: 221274066-3777839306
Opcode ID: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction ID: 1a6b1795c3cc3da4ae714f8f05d55f9eeb9ab44cdba21cae6a91b786647a3ec2
Opcode Fuzzy Hash: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction Fuzzy Hash: 56618D71108300AFC701EF65DC85EAFBBE8EF99354F00092EF595931A1DB749A49CB9A

Function 0041326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004E1990), ref: 00452F8D
GetMenuItemCount.USER32(004E1990), ref: 0045303D
GetCursorPos.USER32(?), ref: 00453081
SetForegroundWindow.USER32(00000000), ref: 0045308A
TrackPopupMenuEx.USER32(004E1990,00000000,?,00000000,00000000,00000000), ref: 0045309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004530A9

Strings

0, xrefs: 0041327D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction ID: d52a3e0dce57be7f60c5b77a1431bcbed5ec4adafd949a2b997b8c1421e7ff8d
Opcode Fuzzy Hash: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction Fuzzy Hash: 7D716931640205BEEB219F24DC89FDBBF64FF02365F204217F9146A2E1C7B9A954DB98

Function 004A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004A6DEB

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6E94
DestroyWindow.USER32(?), ref: 004A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 004A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6EFD
GetDesktopWindow.USER32 ref: 004A6F16
GetWindowRect.USER32(00000000), ref: 004A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004A6F4D

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

Strings

0, xrefs: 004A6D98
tooltips_class32, xrefs: 004A6E58, 004A6EDD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction ID: 480449d6847d523ead7291c8894ffbcea8572c8879d447d827b19be4b4543d40
Opcode Fuzzy Hash: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction Fuzzy Hash: 16716B74144244AFDB21CF18DC84BABBBE9FB9A304F49042EF999873A1C774E905CB19

Function 0048C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0048C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0048C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0048C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C5F0
InternetCloseHandle.WININET(00000000), ref: 0048C5FB

Strings

, xrefs: 0048C575

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction ID: e6696c870a8f472e951e1b2e8277b7b114244663c75e5189ff1b9eef0f6f2f84
Opcode Fuzzy Hash: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction Fuzzy Hash: B0515DB5500205BFDB21AF61C9C8AAF7BFCFF09754F00482AF94596250DB38E9449B78

Function 004A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85BA
GlobalLock.KERNEL32(00000000), ref: 004A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85D7
GlobalUnlock.KERNEL32(00000000), ref: 004A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004AFC38,?), ref: 004A8611
GlobalFree.KERNEL32(00000000), ref: 004A8621
GetObjectW.GDI32(?,00000018,?), ref: 004A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004A8671
DeleteObject.GDI32(?), ref: 004A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004A86AF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction ID: e6ec7d9842439c99f61616a9e84471a96dcc8ccf038acd46d5fdce04b350a222
Opcode Fuzzy Hash: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction Fuzzy Hash: DF41FA75A00208BFDB519FA5DC88EAB7BB8FF9A711F144069F905E7260DB349901CB68

Function 004814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00481502
VariantCopy.OLEAUT32(?,?), ref: 0048150B
VariantClear.OLEAUT32(?), ref: 00481517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00481657
VariantInit.OLEAUT32(?), ref: 00481708
SysFreeString.OLEAUT32(?), ref: 0048178C
VariantClear.OLEAUT32(?), ref: 004817D8
VariantClear.OLEAUT32(?), ref: 004817E7
VariantInit.OLEAUT32(00000000), ref: 00481823

Strings

Default, xrefs: 004816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00481625

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8626206c736955df7ae1993ca3d08af2af09fa440c0c0578b02da9b46500e2d1
Instruction ID: 1e7e7bfefe4b90ca68e4988ad8633cfb91fafc46916d762e6377b0326fef6c0c
Opcode Fuzzy Hash: 8626206c736955df7ae1993ca3d08af2af09fa440c0c0578b02da9b46500e2d1
Instruction Fuzzy Hash: 62D11571600111EBDB00AF69E884B7DB7B9BF45700F50886BF446AB2A0DB38DC47DB5A

Function 0049B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0049B80A
RegCloseKey.ADVAPI32(?), ref: 0049B87E
RegCloseKey.ADVAPI32(?), ref: 0049B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0049B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0049B922
FreeLibrary.KERNEL32(00000000), ref: 0049B983
RegCloseKey.ADVAPI32(00000000), ref: 0049B994

Strings

RegDeleteKeyExW, xrefs: 0049B8FE
advapi32.dll, xrefs: 0049B8ED

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction ID: fa615ed0b01782387e58b718d2a11691133ab1bdceb8145f8568586ea849ea40
Opcode Fuzzy Hash: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction Fuzzy Hash: DAC18F70204201AFDB10DF15D594F2ABBE5FF84308F1485AEE5994B3A2C779EC46CB95

Function 0049255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004925E8
CreateCompatibleDC.GDI32(?), ref: 004925F4
SelectObject.GDI32(00000000,?), ref: 00492601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0049266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004926D0
SelectObject.GDI32(?,?), ref: 004926D8
DeleteObject.GDI32(?), ref: 004926E1
DeleteDC.GDI32(?), ref: 004926E8
ReleaseDC.USER32(00000000,?), ref: 004926F3

Strings

(, xrefs: 0049268D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e7c76a15e1f6273465474079c167818fed6e7a976a8e3e44bc5312cc5a85b3a9
Instruction ID: afe30b257a05467c9fec05000a697a3f78429f877108e9f3009296d23cb2d67e
Opcode Fuzzy Hash: e7c76a15e1f6273465474079c167818fed6e7a976a8e3e44bc5312cc5a85b3a9
Instruction Fuzzy Hash: 6561D1B5E00219EFCF05CFA4D984AAEBBB5FF48310F20852AE955A7250E774A941CF94

Function 0044DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044DAA1

Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D659
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D66B
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D67D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D68F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6A1
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6B3
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6C5
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6D7
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6E9
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6FB
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D70D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D71F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D731

_free.LIBCMT ref: 0044DA96

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044DAB8
_free.LIBCMT ref: 0044DACD
_free.LIBCMT ref: 0044DAD8
_free.LIBCMT ref: 0044DAFA
_free.LIBCMT ref: 0044DB0D
_free.LIBCMT ref: 0044DB1B
_free.LIBCMT ref: 0044DB26
_free.LIBCMT ref: 0044DB5E
_free.LIBCMT ref: 0044DB65
_free.LIBCMT ref: 0044DB82
_free.LIBCMT ref: 0044DB9A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction ID: 0fbc7f903a6bfa94f2bcc192590e3471ce0bd6f3987e2933896b359906d1fcbb
Opcode Fuzzy Hash: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction Fuzzy Hash: 51316AB1A046459FFB21AA3AE945B5BB7E9FF00314F51442BF049D7291DA78AC40C728

Function 0047365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0047369C
_wcslen.LIBCMT ref: 004736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00473797
GetClassNameW.USER32(?,?,00000400), ref: 0047380C
GetDlgCtrlID.USER32(?), ref: 0047385D
GetWindowRect.USER32(?,?), ref: 00473882
GetParent.USER32(?), ref: 004738A0
ScreenToClient.USER32(00000000), ref: 004738A7
GetClassNameW.USER32(?,?,00000100), ref: 00473921
GetWindowTextW.USER32(?,?,00000400), ref: 0047395D

Strings

%s%u, xrefs: 00473734

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction ID: 7106b567ec3585191244bd828ee75418fe1e49136e2ca5b3a6696f0e1cf8f10d
Opcode Fuzzy Hash: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction Fuzzy Hash: C691C3B1204206AFD718DF24C884BEBB7E8FF44315F00C52AFA9D82250DB38EA45DB95

Function 00474954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00474994
GetWindowTextW.USER32(?,?,00000400), ref: 004749DA
_wcslen.LIBCMT ref: 004749EB
CharUpperBuffW.USER32(?,00000000), ref: 004749F7
_wcsstr.LIBVCRUNTIME ref: 00474A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00474A64
GetWindowTextW.USER32(?,?,00000400), ref: 00474A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00474AE6
GetClassNameW.USER32(?,?,00000400), ref: 00474B20
GetWindowRect.USER32(?,?), ref: 00474B8B

Strings

ThumbnailClass, xrefs: 00474A6F, 00474AF1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction ID: 3e46f777533f94fe0d5f87b77e93d849d40ddff76415f2c031b173f9daee5041
Opcode Fuzzy Hash: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction Fuzzy Hash: 0D91AC711042059FDB05DE14C981BFBB7E8EF84314F04846BED899A296DB38ED45CBAA

Function 004A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A8D5A
GetFocus.USER32 ref: 004A8D6A
GetDlgCtrlID.USER32(00000000), ref: 004A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004A8ECF
GetMenuItemCount.USER32(?), ref: 004A8EEC
GetMenuItemID.USER32(?,00000000), ref: 004A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004A8FA1

Strings

0, xrefs: 004A8E9F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7bc6d3c64b8ebf5ae01fe22a8847a99c6d13b2a3ea2c7af1079b2e393a8aa3a6
Instruction ID: a1483002659df2c769b64139de1c9b98ef7785f78553308075a25c6b183a3a62
Opcode Fuzzy Hash: 7bc6d3c64b8ebf5ae01fe22a8847a99c6d13b2a3ea2c7af1079b2e393a8aa3a6
Instruction Fuzzy Hash: 2C81B371504311AFDB10CF24D884A6BBBE9FFAA314F14092EF985D7291DB78D901CB69

Function 0047DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0047DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0047DC46
_wcslen.LIBCMT ref: 0047DC50
_wcsstr.LIBVCRUNTIME ref: 0047DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0047DCBC

Strings

StringFileInfo\, xrefs: 0047DC8F
%u.%u.%u.%u, xrefs: 0047DD9A
DefaultLangCodepage, xrefs: 0047DD1F
\VarFileInfo\Translation, xrefs: 0047DCB4
04090000, xrefs: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 02bfc9abe3a274e56ed06f8e380c05fda1abc8c723e2014e049120b1bf87454b
Instruction ID: b3fee1bfc6078b955bec20cc79ca37a490acab5d2dd6c5a520f950a9bc8bd273
Opcode Fuzzy Hash: 02bfc9abe3a274e56ed06f8e380c05fda1abc8c723e2014e049120b1bf87454b
Instruction Fuzzy Hash: A8412432A402107ADB15A661AC83FFF37BCDF5A714F50406FF904A2182EB7DA90197AD

Function 0049CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0049CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD48

Part of subcall function 0049CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0049CCAA
Part of subcall function 0049CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0049CCBD
Part of subcall function 0049CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049CCCF
Part of subcall function 0049CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD05
Part of subcall function 0049CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0049CCF3

Strings

RegDeleteKeyExW, xrefs: 0049CCC9
advapi32.dll, xrefs: 0049CCB8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction ID: 7538443a2070a75c8f6738d5cf86d3d8f676141747eedc8856924e3f1a3f32c1
Opcode Fuzzy Hash: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction Fuzzy Hash: 1B316071A41129BBDB209B95DCC8EFFBF7CEF46754F000176F905E2240D6389E459AA8

Function 00483D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00483D40
_wcslen.LIBCMT ref: 00483D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00483D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00483DBE
RemoveDirectoryW.KERNEL32(?), ref: 00483DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00483E55
CloseHandle.KERNEL32(00000000), ref: 00483E60
CloseHandle.KERNEL32(00000000), ref: 00483E6B

Strings

\, xrefs: 00483D77
\??\%s, xrefs: 00483D5B
:, xrefs: 00483D82

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction ID: 01218be2fc8f2de56f93013dde21c61150c6cbe48c7afecb1293de8e9cae7b58
Opcode Fuzzy Hash: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction Fuzzy Hash: 6B31B6729001096BDB21AFA0DC85FEF37BCEF89B05F1044B6F905D6150EB7897458B28

Function 0047E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0047E6B4

Part of subcall function 0042E551: timeGetTime.WINMM(?,?,0047E6D4), ref: 0042E555

Sleep.KERNEL32(0000000A), ref: 0047E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0047E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0047E727
SetActiveWindow.USER32 ref: 0047E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0047E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0047E773
Sleep.KERNEL32(000000FA), ref: 0047E77E
IsWindow.USER32 ref: 0047E78A
EndDialog.USER32(00000000), ref: 0047E79B

Strings

BUTTON, xrefs: 0047E719

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction ID: 494c76b985108189b84701e682c771b886766d41e0b061f8c7d00f00864028ea
Opcode Fuzzy Hash: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction Fuzzy Hash: 0121D4B0200244AFEB105F36EDC9A663F6DF71A349F108676F409952B2DBB5AC009A2C

Function 0047E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0047EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0047EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0047EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0047EAA7

Strings

play PlayMe, xrefs: 0047EAA2
play PlayMe wait, xrefs: 0047EA91
status PlayMe mode, xrefs: 0047EA58
alias PlayMe, xrefs: 0047EA36
open , xrefs: 0047EA0C
close PlayMe, xrefs: 0047EA6E, 0047EA9B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction ID: 185efa22bfd07092d35c6ad2d555b2b30407d90891556a1a8f714cf41da1f940
Opcode Fuzzy Hash: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction Fuzzy Hash: 6E11E370A9021979D720A7A2DC6AEFF6B7CEBC1F04F10046BB801A21D0EE781D45C9B8

Function 00475CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00475CE2
GetWindowRect.USER32(00000000,?), ref: 00475CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00475D59
GetDlgItem.USER32(?,00000002), ref: 00475D69
GetWindowRect.USER32(00000000,?), ref: 00475D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00475DCF
GetDlgItem.USER32(?,000003E9), ref: 00475DDD
GetWindowRect.USER32(00000000,?), ref: 00475DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00475E31
GetDlgItem.USER32(?,000003EA), ref: 00475E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00475E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00475E67

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction ID: 7af9dc3cde50717f7a15d0e0f9f9ffc130238e322a778124ca07208abb8f559d
Opcode Fuzzy Hash: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction Fuzzy Hash: 3C510E71B00605AFDF18CFA8DD89AAEBBB5FB48300F548129F519E7290D7749E04CB54

Function 00428BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

DestroyWindow.USER32(?), ref: 00428C81
KillTimer.USER32(00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00466973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000), ref: 004669D4
DeleteObject.GDI32(00000000), ref: 004669E6

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction ID: 6c6c78c700273877c720b5be97dd70d0af4906cd395b8db5d91e4763b518ce99
Opcode Fuzzy Hash: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction Fuzzy Hash: FA61C170202620DFDB219F15EA88B2A7BF1FB41316F55452EE0429B671CB39AC81CF9D

Function 00429838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetSysColor.USER32(0000000F), ref: 00429862

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction ID: f874ee9d2f2be3fd10760c2b7717790b9c456f1175dcccdab44d2fb6697bf3e7
Opcode Fuzzy Hash: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction Fuzzy Hash: 1741FA31600650AFDB206F38AC84BBA3B65EB17330F584656F9A2873E2D7349C42DB19

Function 00448D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.C, xrefs: 0044903A, 00448FD0, 00448FF2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: .C
API String ID: 0-1181961956
Opcode ID: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction ID: eb9610bd3511200ec6d90fa95a5c7e010e857ca5343351805dd7b5ce85707d63
Opcode Fuzzy Hash: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction Fuzzy Hash: 1EC1F474D04249AFEF11DFA9D841BAFBBB0AF09314F14409AF814A7392C7798D42DB69

Function 004796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00479717
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479720

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00479742
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00479866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047984A
Line %d:, xrefs: 004797A0
Line %d (File "%s"):, xrefs: 0047978F
^ ERROR, xrefs: 004797FB
Error: , xrefs: 0047981D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction ID: 47649ed6707ce6315a6fb9766a92006ead74d56158a65ab5c8854d2702f008b9
Opcode Fuzzy Hash: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction Fuzzy Hash: A1416572800119AADF04FBE1CD96DEE7778AF15744F50402BF60572192EB396F88CB69

Function 004706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00470804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0047082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00470837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0047083C

Strings

\IPC$, xrefs: 00470784
SOFTWARE\Classes\, xrefs: 0047070E
\CLSID, xrefs: 00470724

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction ID: 971b3f1af4e9c7bad6bcaabeef2f6bc07191664b0645e154af9b29989f684920
Opcode Fuzzy Hash: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction Fuzzy Hash: 0C413B71C11228EBCF15EFA4DC95CEEB778BF04354F15412AE905A3260EB38AE44CB94

Function 00493C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00493C5C
CoInitialize.OLE32(00000000), ref: 00493C8A
CoUninitialize.OLE32 ref: 00493C94
_wcslen.LIBCMT ref: 00493D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00493DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00493ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00493F0E
CoGetObject.OLE32(?,00000000,004AFB98,?), ref: 00493F2D
SetErrorMode.KERNEL32(00000000), ref: 00493F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00493FC4
VariantClear.OLEAUT32(?), ref: 00493FD8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction ID: f46ce77e6ea40ec39aeecf3c65ce7f6ba73e3857271a89658ab5552a3a1d6a17
Opcode Fuzzy Hash: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction Fuzzy Hash: 23C158716083059FCB00DF65C88496BBBE9FF8A749F00496EF98A9B210D734EE05CB56

Function 00487A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00487AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00487B8F
SHGetDesktopFolder.SHELL32(?), ref: 00487BA3
CoCreateInstance.OLE32(004AFD08,00000000,00000001,004D6E6C,?), ref: 00487BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00487C74
CoTaskMemFree.OLE32(?,?), ref: 00487CCC
SHBrowseForFolderW.SHELL32(?), ref: 00487D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00487D7A
CoTaskMemFree.OLE32(00000000), ref: 00487D81
CoTaskMemFree.OLE32(00000000), ref: 00487DD6
CoUninitialize.OLE32 ref: 00487DDC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5ce2fca2df1c0f1af2976dfdea444bb9711469775f9fc02b0fe9a823da8672c2
Instruction ID: 88d8fb7e9a5a88090902244ea6af08d937b7dc800ece08ee49cd5c22bb9600be
Opcode Fuzzy Hash: 5ce2fca2df1c0f1af2976dfdea444bb9711469775f9fc02b0fe9a823da8672c2
Instruction Fuzzy Hash: 73C13D75A04105AFCB14EFA4C894DAEBBF9FF48308B1484A9E81ADB361D734ED41CB94

Function 004A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A5515
CharNextW.USER32(00000158), ref: 004A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A55AC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction ID: 886126b4b6221783a70d92fb59f16fe1a659533b40aeb0ed112194b5baff34cd
Opcode Fuzzy Hash: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction Fuzzy Hash: F161BE71900608FBDF10DF54CD84AFF3BB9EB2B320F104156F925AA291D7388A81DB69

Function 0046FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0046FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0046FB08
VariantInit.OLEAUT32(?), ref: 0046FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046FB3A
VariantCopy.OLEAUT32(?,?), ref: 0046FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0046FBA1
VariantClear.OLEAUT32(?), ref: 0046FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0046FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBCC
VariantClear.OLEAUT32(?), ref: 0046FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBE9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction ID: 69da9d415d22f4735617171077b00187f906dca4e4e7837b33ff6fada278e84d
Opcode Fuzzy Hash: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction Fuzzy Hash: E9417275A002199FCB00DF64D8949EEBFB9FF49344F00807AE945A7261DB34E945CF99

Function 00479C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00479CA1
GetAsyncKeyState.USER32(000000A0), ref: 00479D22
GetKeyState.USER32(000000A0), ref: 00479D3D
GetAsyncKeyState.USER32(000000A1), ref: 00479D57
GetKeyState.USER32(000000A1), ref: 00479D6C
GetAsyncKeyState.USER32(00000011), ref: 00479D84
GetKeyState.USER32(00000011), ref: 00479D96
GetAsyncKeyState.USER32(00000012), ref: 00479DAE
GetKeyState.USER32(00000012), ref: 00479DC0
GetAsyncKeyState.USER32(0000005B), ref: 00479DD8
GetKeyState.USER32(0000005B), ref: 00479DEA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction ID: 105258d4d7e9098a205df19608756355a8728712edbacb0a07328e843bb98f96
Opcode Fuzzy Hash: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction Fuzzy Hash: 9F41D8345047C96DFF71866484443F7BEA16B12344F08C05BDACA567C2EBAC9DC8C79A

Function 0049055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004905BC
inet_addr.WSOCK32(?), ref: 0049061C
gethostbyname.WSOCK32(?), ref: 00490628
IcmpCreateFile.IPHLPAPI ref: 00490636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004907B9
WSACleanup.WSOCK32 ref: 004907BF

Strings

Ping, xrefs: 00490676

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 35b271760b3fe989d2de4de195e4d215d81501438eb02a27fff2c89ccfa652c0
Instruction ID: d698bc833c7678b93aeb067f8947c4fc809515c985cc515df99e0be90776a55b
Opcode Fuzzy Hash: 35b271760b3fe989d2de4de195e4d215d81501438eb02a27fff2c89ccfa652c0
Instruction Fuzzy Hash: 49917E35604201AFDB20DF15D488F1ABFE0AF44328F1585AAE4698B7A2C738ED85CF95

Function 00498CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00498CF3

Part of subcall function 00478E54: _wcslen.LIBCMT ref: 00478E77

_wcslen.LIBCMT ref: 00498D4E
_wcslen.LIBCMT ref: 00498D9C
_wcslen.LIBCMT ref: 00498DDC
_wcslen.LIBCMT ref: 00498E6E

Strings

cdecl, xrefs: 00498D48, 00498D4D
stdcall, xrefs: 00498DD6, 00498DDB
none, xrefs: 00498E65, 00498E6A
winapi, xrefs: 00498D96, 00498D9B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction ID: f2321c66c4dea0c95bd39490f25074e66ef5b59c05288e109135086d3958da2f
Opcode Fuzzy Hash: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction Fuzzy Hash: 9F519071A001169BCF14DF6DC9609BEBBA5AF66324B21423FE426E7384DB39DD40C798

Function 0049372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00493774
CoUninitialize.OLE32 ref: 0049377F
CoCreateInstance.OLE32(?,00000000,00000017,004AFB78,?), ref: 004937D9
IIDFromString.OLE32(?,?), ref: 0049384C
VariantInit.OLEAUT32(?), ref: 004938E4
VariantClear.OLEAUT32(?), ref: 00493936

Strings

Invalid parameter, xrefs: 00493865
NULL Pointer assignment, xrefs: 0049381E
Failed to create object, xrefs: 004937E4, 0049389A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1e76311899763007a6a4355971e6b500c6099e01768a07ff98e4a84797a443ce
Instruction ID: c09ade78cfc8693cfbb62d65456be79016457365495fb0cb24c547c6a8c76256
Opcode Fuzzy Hash: 1e76311899763007a6a4355971e6b500c6099e01768a07ff98e4a84797a443ce
Instruction Fuzzy Hash: 6561B070608301AFD710EF55C888B6ABBE4EF4A705F10486FF58597291C778EE49CB9A

Function 004A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004A8B6B
ImageList_EndDrag.COMCTL32 ref: 004A8B71
ReleaseCapture.USER32 ref: 004A8B77
SetWindowTextW.USER32(?,00000000), ref: 004A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004A8CFF

Strings

@GUI_DRAGFILE, xrefs: 004A8C9A
@GUI_DROPID, xrefs: 004A8C51
p#N, xrefs: 004A8C71

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#N
API String ID: 1924731296-3991093434
Opcode ID: 993f0510353d533d072f03afe6da25543189ea6be430bc402e84c74b585bceda
Instruction ID: 47c12726a45359ca2c067fea2545401927e23d90b7c28c502135f77aac93ccd2
Opcode Fuzzy Hash: 993f0510353d533d072f03afe6da25543189ea6be430bc402e84c74b585bceda
Instruction Fuzzy Hash: 33518B70204200AFD704EF15DC95FAA77E4FB89714F400A2EF996572E2DB789D44CB6A

Function 00483388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004833CF

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00483504
^ ERROR , xrefs: 0048349E
"%s" (%d) : ==> %s:, xrefs: 00483522
Line %d (File "%s"):, xrefs: 00483443, 0048345C
Error: , xrefs: 004834D1
Incorrect parameters to object property !, xrefs: 004834AB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction ID: 7695c21b8b36afe79131069c5ec5d0ca14b9c4d6ae953ec27149b8bd75fa862b
Opcode Fuzzy Hash: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction Fuzzy Hash: D051D471900209BADF14EBE1CD52EEEB778AF04744F20446BF50572162EB392F98DB68

Function 0047B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0047B5FC
_wcslen.LIBCMT ref: 0047B608
_wcslen.LIBCMT ref: 0047B64D
_wcslen.LIBCMT ref: 0047B68C
_wcslen.LIBCMT ref: 0047B6C7

Strings

REMOVE, xrefs: 0047B602, 0047B607
EXISTS, xrefs: 0047B686, 0047B68B
KEYS, xrefs: 0047B647, 0047B64C
APPEND, xrefs: 0047B6C1, 0047B6C6

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction ID: 414aed57adbb56d44630540c850783c453eb60b242e3bbd21be030ebb81c53ac
Opcode Fuzzy Hash: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction Fuzzy Hash: 31412A32A001269ACB106F7D88906FF77A1EFA0758B24812BE629D7384E73DCD81C3D5

Function 00485393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00485416
GetLastError.KERNEL32 ref: 00485420
SetErrorMode.KERNEL32(00000000,READY), ref: 004854A7

Strings

NOTREADY, xrefs: 0048544B
READONLY, xrefs: 00485452
UNKNOWN, xrefs: 00485444
INVALID, xrefs: 00485459
READY, xrefs: 00485460, 00485468

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction ID: cbe64af34b405703c3480dd1aee301c646ac5b5423df9dc3eb6c89aac84d6b26
Opcode Fuzzy Hash: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction Fuzzy Hash: 0231CE35A002049FDB10EF68C484BAEBBB4EF45709F14846BE405CB392DB79DD82CB95

Function 004A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004A3C79
SetMenu.USER32(?,00000000), ref: 004A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3D10
IsMenu.USER32(?), ref: 004A3D24
CreatePopupMenu.USER32 ref: 004A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3D5B
DrawMenuBar.USER32 ref: 004A3D63

Strings

F, xrefs: 004A3D4E
0, xrefs: 004A3C54

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction ID: 88367d0572a9587ccdce4249f6a151579d92679bdd64667a54bb18dfb3d73e06
Opcode Fuzzy Hash: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction Fuzzy Hash: 28417EB5A01209EFDB14CF64D884ADA7BB5FF5A351F14002AF946A7360E734AA10CF58

Function 00471EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00471F64
GetDlgCtrlID.USER32 ref: 00471F6F
GetParent.USER32 ref: 00471F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00471F8E
GetDlgCtrlID.USER32(?), ref: 00471F97
GetParent.USER32(?), ref: 00471FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00471FAE

Strings

ListBox, xrefs: 00471F21
ComboBox, xrefs: 00471EEC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2482581fa915c43a01fffc99b3093fe117c9891835abd700e5ce3564698c1547
Instruction ID: 911ac598e1d5e5cae51a6700bafdf9c31b3e101bcb7c18fb55eda3b226416f2b
Opcode Fuzzy Hash: 2482581fa915c43a01fffc99b3093fe117c9891835abd700e5ce3564698c1547
Instruction Fuzzy Hash: CE21C271900214BBCF15EFA4CC95EEEBBB8EF06354B10411BF965672A1DB385904DB68

Function 004A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004A3C13

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction ID: 9b9b1362c474cf40edbbecfd28caa1ac6b822cdd5dbcf18cdb8d3d0f30ad3c48
Opcode Fuzzy Hash: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction Fuzzy Hash: 04619F75900248AFDB10DF64CC81EEE77F8EB19314F1000AAFA05A73A2D774AE45DB54

Function 0047B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B165
GetWindowThreadProcessId.USER32(00000000), ref: 0047B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0047B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B21D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction ID: 60138c64cf79c9cf67be6e330ec5055d278779b652c5cf4ab33331a845a62410
Opcode Fuzzy Hash: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction Fuzzy Hash: 8731A271540204AFDB119F64DC8CBAE7B69EB51356F108466FA08DB251D7789E008FAC

Function 00442C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442C94

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 00442CA0
_free.LIBCMT ref: 00442CAB
_free.LIBCMT ref: 00442CB6
_free.LIBCMT ref: 00442CC1
_free.LIBCMT ref: 00442CCC
_free.LIBCMT ref: 00442CD7
_free.LIBCMT ref: 00442CE2
_free.LIBCMT ref: 00442CED
_free.LIBCMT ref: 00442CFB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction ID: c4d3835c6e39c14024aa1b946a06c50d845e7d2803cfcb573c61ee3650419366
Opcode Fuzzy Hash: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction Fuzzy Hash: 6411FEB5200108BFEB02EF56DA42CDD3B65FF05354F81449AF9485F232D675EE509B54

Function 00487DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00487FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00487FC1
GetFileAttributesW.KERNEL32(?), ref: 00487FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00488005
SetCurrentDirectoryW.KERNEL32(?), ref: 00488017
SetCurrentDirectoryW.KERNEL32(?), ref: 00488060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004880B0

Strings

*.*, xrefs: 00488066

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 75ed41fe40df109effce1867840db597d0068e9624acc88efec2f2c0e749759e
Instruction ID: 60776df3a2aa20ebd64d375f27d7d87eae9c9b1fdb66f3cae49938412a292d9a
Opcode Fuzzy Hash: 75ed41fe40df109effce1867840db597d0068e9624acc88efec2f2c0e749759e
Instruction Fuzzy Hash: 8B8190725082019BCB20EF15C8949BFB7E8AF89314F644C5FF889D7250EB38DD458B5A

Function 00415BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00415C7A

Part of subcall function 00415D0A: GetClientRect.USER32(?,?), ref: 00415D30
Part of subcall function 00415D0A: GetWindowRect.USER32(?,?), ref: 00415D71
Part of subcall function 00415D0A: ScreenToClient.USER32(?,?), ref: 00415D99

GetDC.USER32 ref: 004546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00454708
SelectObject.GDI32(00000000,00000000), ref: 00454716
SelectObject.GDI32(00000000,00000000), ref: 0045472B
ReleaseDC.USER32(?,00000000), ref: 00454733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004547C4

Strings

U, xrefs: 00454693

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction ID: 887fb8666af04f3ee60c595cc3ab95fc0868f9ada7a6041cbaf17a9e9da7969d
Opcode Fuzzy Hash: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction Fuzzy Hash: E171DE34400205DFCF218F64C984AEA3BB1FF8A32AF14426BED555E267D7388886DF58

Function 0048359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00483724
"%s" (%d) : ==> %s:, xrefs: 00483742
Line %d (File "%s"):, xrefs: 0048366B
^ ERROR, xrefs: 004836C9
Error: , xrefs: 004836EF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction ID: 4c2bca62849440ba06ab7cf45b7e745419e897b1c1e1e03a16b17439adab886e
Opcode Fuzzy Hash: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction Fuzzy Hash: E5517071800209AADF14EFA1CC92EEEBB35AF04745F14452BF505721A1EB386AD9DF68

Function 0048C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C2CA
GetLastError.KERNEL32 ref: 0048C322
SetEvent.KERNEL32(?), ref: 0048C336
InternetCloseHandle.WININET(00000000), ref: 0048C341

Strings

, xrefs: 0048C2BB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction ID: dcca571e5fa73f26138b9223ec9660c497b26d26be665a6c4ee5f2301c3f81ee
Opcode Fuzzy Hash: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction Fuzzy Hash: 6A316F71500604AFD721AF6598C4AAF7BFCEB49744B10892FF84692240DB38DD059B79

Function 0047989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00453AAF,?,?,Bad directive syntax error,004ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004798BC
LoadStringW.USER32(00000000,?,00453AAF,?), ref: 004798C3

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00479987

Strings

Line %d:, xrefs: 00479912
., xrefs: 0047996D
Line %d (File "%s"):, xrefs: 0047992D
Error: , xrefs: 00479955
%s (%d) : ==> %s.: %s %s, xrefs: 004798F1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction ID: 5e73d1bf454e12fe2114cdb077473c7e2ec109ca6bea76091fc6e4f3dc4d1393
Opcode Fuzzy Hash: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction Fuzzy Hash: BA21B47190021EBBDF11AF90CC16EEE7775FF14704F04442BF915621A2EB39AA68DB58

Function 0047209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0047214D

Strings

list, xrefs: 0047212F
smallicons, xrefs: 00472115
details, xrefs: 004720FB
largeicons, xrefs: 004720E1
SHELLDLL_DefView, xrefs: 004720CC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction ID: 611cbf69ee29b9cdf684a2aa189dc85727efe1fc5bc048144b682bf17ae3cdaf
Opcode Fuzzy Hash: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction Fuzzy Hash: 2B110676688707B9FA017621DD16DE7379CEB09328F60902BFB08B51D2EEAD7802565C

Function 0044CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0044CEB7
_free.LIBCMT ref: 0044CF22
_free.LIBCMT ref: 0044CF48
_free.LIBCMT ref: 0044CF71
_free.LIBCMT ref: 0044CFA9
_free.LIBCMT ref: 0044CFDA
_free.LIBCMT ref: 0044D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044D09C
_free.LIBCMT ref: 0044D0B5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction ID: 750c0a0e7a1f753b1cb60f520546c754aa0ddf1d1d4dabc90750fc9e587da608
Opcode Fuzzy Hash: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction Fuzzy Hash: 4D6138B1A05200ABFB21AFB59CC1A6A7B95EF05314F08416FF9409B3C2DB7D9D45876C

Function 00428B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00466890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 00466901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0046691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 0046692D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction ID: bd1738f8097e962daaaf6b2cb2eb0be89b6a46b8e53ad3f6cd96e8920b93ee01
Opcode Fuzzy Hash: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction Fuzzy Hash: 9F518BB0601209EFDB20CF25DC95FAA7BB5FB48750F10452EF902972A0EB78E951DB58

Function 0048C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C182
GetLastError.KERNEL32 ref: 0048C195
SetEvent.KERNEL32(?), ref: 0048C1A9

Part of subcall function 0048C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
Part of subcall function 0048C253: GetLastError.KERNEL32 ref: 0048C322
Part of subcall function 0048C253: SetEvent.KERNEL32(?), ref: 0048C336
Part of subcall function 0048C253: InternetCloseHandle.WININET(00000000), ref: 0048C341

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction ID: b03f585cd010f89a7b7b3a1440e4f4ff447f781d7afdfc5ace4c113a7b38417c
Opcode Fuzzy Hash: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction Fuzzy Hash: 40317071900601AFDB21AFA5DC84A6BBBE9FF15300B04496EF95682650DB39E8149FB8

Function 004725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00472601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00472605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0047260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00472623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00472627

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction ID: 84133b2d2f81a885ff98e46ed22a8c0740ef85e32ad420e8fde034ecc074791b
Opcode Fuzzy Hash: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction Fuzzy Hash: 7C01D471390210BBFB106B699CCAF993F59DB4EB12F104016F318AE0D1C9E224459E6E

Function 00471803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00471449,?,?,00000000), ref: 0047180C
HeapAlloc.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471828
GetCurrentProcess.KERNEL32(?,00000000,?,00471449,?,?,00000000), ref: 00471830
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471843
GetCurrentProcess.KERNEL32(00471449,00000000,?,00471449,?,?,00000000), ref: 0047184B
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 0047184E
CreateThread.KERNEL32(00000000,00000000,00471874,00000000,00000000,00000000), ref: 00471868

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction ID: bfcffbb60fd692dca6b937531f55aaf4c7be63ec40b69a2cd0da393570e40acd
Opcode Fuzzy Hash: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction Fuzzy Hash: 4101ACB5340304BFE650ABA5DC89F573BACEB8AB11F014421FA05DB1A1DA749C008F24

Function 00443E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00443F0B
__alldvrm.LIBCMT ref: 0044410C
__alldvrm.LIBCMT ref: 0044412E

Strings

}}C, xrefs: 00443E8A
}}C, xrefs: 00443E96, 00443EF1, 00443F0A, 00444090
}}C, xrefs: 004440CD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}C$}}C$}}C
API String ID: 1036877536-3838356168
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 55d6bb21141281f8b76a98580d82eca2ee82b19744e9c2b012eb12fb0f4261ca
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 98A14671E006869FFB25CE18C8817AABBE4EFA1354F14416FE5859B382C63C9946C758

Function 0049A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0047D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Part of subcall function 0047D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Part of subcall function 0047D4DC: CloseHandle.KERNELBASE(00000000), ref: 0047D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A16D
GetLastError.KERNEL32 ref: 0049A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0049A268
GetLastError.KERNEL32(00000000), ref: 0049A273
CloseHandle.KERNEL32(00000000), ref: 0049A2C4

Strings

SeDebugPrivilege, xrefs: 0049A18F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction ID: 36f2df698d255feddc6e8a26eca3dc0c4ee3e7c4f17fa9341202c8a72a231482
Opcode Fuzzy Hash: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction Fuzzy Hash: B9616030204241AFDB10DF15C495F56BBE1AF44318F1484AEE46A4B7A3C77AED45CBDA

Function 004A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004A3954
_wcslen.LIBCMT ref: 004A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004A39F4

Strings

SysListView32, xrefs: 004A38F7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction ID: ccd2430a9be2a533bf818e9775e89bebad9ccd98701324f406f60594f99308b5
Opcode Fuzzy Hash: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction Fuzzy Hash: D941C571A00218ABEB21DF64CC45FEB7BA9EF19354F10012BF944E7291E7799D84CB98

Function 0047BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0047BCFD
IsMenu.USER32(00000000), ref: 0047BD1D
CreatePopupMenu.USER32 ref: 0047BD53
GetMenuItemCount.USER32(01895708), ref: 0047BDA4
InsertMenuItemW.USER32(01895708,?,00000001,00000030), ref: 0047BDCC

Strings

0, xrefs: 0047BCA8
2, xrefs: 0047BD37

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction ID: 06c1102c7ce32793cf09bb3edbd64f06b4a9908b57febe5af0d55aa46d925c25
Opcode Fuzzy Hash: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction Fuzzy Hash: 5A51AD70A00205AFDB21CFA9C8C4BEEBBF5EF45314F14C12AE45997390E7789945CB99

Function 00432D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00432D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00432D53
_ValidateLocalCookies.LIBCMT ref: 00432DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00432E0C
_ValidateLocalCookies.LIBCMT ref: 00432E61

Strings

&HC, xrefs: 00432DFE, 00432E07, 00432E18
csm, xrefs: 00432DF6

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HC$csm
API String ID: 1170836740-3574481041
Opcode ID: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction ID: 61b2e7129eb97acbeca5891d267d3487f72a20dd187edbdd3b69602293c7d7d0
Opcode Fuzzy Hash: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction Fuzzy Hash: 0741D834A00209EBCF10DF69C945A9FBBB5BF48329F14915BE8146B392D779DA01CBD4

Function 0047C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0047C913

Strings

warning, xrefs: 0047C8FC
blank, xrefs: 0047C895
info, xrefs: 0047C8B4
question, xrefs: 0047C8CC
stop, xrefs: 0047C8E4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction ID: 21ff85fea1f5f2ea39103eacf143a7c1e73e2a95a43c3f2567d7c8d498d5142b
Opcode Fuzzy Hash: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction Fuzzy Hash: 12112BB178930ABAA7006B149CC2DEB679CDF15319B21402FF608A6382D76C6D0052AD

Function 0047DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0047DE42
gethostname.WSOCK32(?,00000100), ref: 0047DE5C
gethostbyname.WSOCK32(?), ref: 0047DE69
inet_ntoa.WSOCK32(?), ref: 0047DEAB
_strcat.LIBCMT ref: 0047DEB9
WSACleanup.WSOCK32 ref: 0047DEDE

Strings

0.0.0.0, xrefs: 0047DE87

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: eac639b673e963746120514becdbf649a3a58ae5d3cc5350911577bcb2256ea1
Instruction ID: 0be74e1a5556144794af25f9413a68f80be1d4a0109a6e9c52a7da8c556888a8
Opcode Fuzzy Hash: eac639b673e963746120514becdbf649a3a58ae5d3cc5350911577bcb2256ea1
Instruction Fuzzy Hash: B0113671900115ABDB25BB319C4AEEF7BBCDF55325F00417FF0099A191EF789A818A58

Function 0047ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0047ED2A
_wcslen.LIBCMT ref: 0047ED3B
_wcslen.LIBCMT ref: 0047ED79
_wcslen.LIBCMT ref: 0047EDAF
_wcslen.LIBCMT ref: 0047EDDF
_wcslen.LIBCMT ref: 0047EDEF
_wcslen.LIBCMT ref: 0047EE2B
_wcslen.LIBCMT ref: 0047EE5A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction ID: 1734efafe1a5bf421d02fbefdca4c9ddb8c3307d0966683f1d77b2dafadc82fe
Opcode Fuzzy Hash: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction Fuzzy Hash: 9241B465C1011875DB11EBB6888AACF77A8AF4D310F0095A7F518E3161FB3CE255C3AE

Function 0042F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0042F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F454

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction ID: f4f2621174da2dbcae1f2d9782b7a0e71618c96fab850a6fc96cd5e006374c0e
Opcode Fuzzy Hash: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction Fuzzy Hash: 97411BB1708690BAC7348B29B8C872B7BB1AB56314FD4403FE08756761D63D98C9CB1E

Function 004A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004A2D1B
GetDC.USER32(00000000), ref: 004A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004A2DE1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction ID: d856e670a8b8925bfa9cab915092b040a5f56776acca71eca82ad4298affb0a6
Opcode Fuzzy Hash: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction Fuzzy Hash: 51318072201214BFEB518F54CC89FEB3FADEF1A755F044065FE089A291C6B59C51CBA8

Function 00475622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475637
_memcmp.LIBVCRUNTIME ref: 00475659
_memcmp.LIBVCRUNTIME ref: 00475671
_memcmp.LIBVCRUNTIME ref: 00475684
_memcmp.LIBVCRUNTIME ref: 0047569E
_memcmp.LIBVCRUNTIME ref: 004756B1
_memcmp.LIBVCRUNTIME ref: 004756C9
_memcmp.LIBVCRUNTIME ref: 004756E4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction ID: 6aaefbd7a7b5e915b4a7130ec7be96634651264fc8830a9f4e49c14756843ba7
Opcode Fuzzy Hash: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction Fuzzy Hash: 5921FC61640A0977E21855128D82FFB335CAF35398F548027FD0C9EA41F7ADEE1581ED

Function 00494FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0049502E, 00495383
Not an Object type, xrefs: 00495007

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3b48ce988c63529401446eb8be1488a6ea468072c15a2631e387b393c970eb8c
Instruction ID: 8dec7c5331494979e5d36cd6c230bcdb9564d4360288d4de5feeed0ef83ed8b7
Opcode Fuzzy Hash: 3b48ce988c63529401446eb8be1488a6ea468072c15a2631e387b393c970eb8c
Instruction Fuzzy Hash: 7CD1B171A0060A9FDF11CFA8C881BAEBBB5BF48344F24807AE915AB381E774DD45CB54

Function 00451522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004517FB,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516FB

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451777
__freea.LIBCMT ref: 004517A2
__freea.LIBCMT ref: 004517AE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction ID: 2d9fc0e671a93cb11dd0f2ad9e35df09db9d30e9d6593efe0ad0e6388275eadb
Opcode Fuzzy Hash: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction Fuzzy Hash: 5D919571E00219ABDB208E74C881FEF7BA59F49715F14455BEC01E7262E739DC49CB68

Function 00494523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00494648
VariantInit.OLEAUT32(?), ref: 00494749
VariantClear.OLEAUT32(?), ref: 00494753
VariantClear.OLEAUT32(?), ref: 004947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004945D8, 00494706, 004947BE
Incorrect Object type in FOR..IN loop, xrefs: 0049472C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0d0756cfafbb1801344bc20eec64ddd077a22954fb6982edff489e267dc72d5f
Instruction ID: 49d1327ca34a333b24b80c15ad50ea4de85957ccdb0ea6a9acfa31d50e2c941a
Opcode Fuzzy Hash: 0d0756cfafbb1801344bc20eec64ddd077a22954fb6982edff489e267dc72d5f
Instruction Fuzzy Hash: 23917671A00219ABDF24CF95C844FAF7BB8EF85714F10856AF505AB280D7789946CF64

Function 00481187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0048125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00481284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0048135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00481430

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: aa3eda03435ff02b68a6298a0d2d0bf7c0eab2391e4981e4a85742165c0bc13a
Instruction ID: 64fc30596eb504eb7ab17840d15f4c53607af06c0435327a91be93ebc5de8b8f
Opcode Fuzzy Hash: aa3eda03435ff02b68a6298a0d2d0bf7c0eab2391e4981e4a85742165c0bc13a
Instruction Fuzzy Hash: 29910371A002189FDB00EF95C884BBE77B9FF49715F10486BE901E72A1D77CA946CB98

Function 0042948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction ID: 05ca2aec769e6b47f8c426d4addd1e26013a7838f5e39a7bcea2991a43360470
Opcode Fuzzy Hash: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction Fuzzy Hash: A1913971A04219EFCB10CFA9D884AEEBBB8FF49324F54405AE515B7251D3789D82CB64

Function 00493947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049396B
CharUpperBuffW.USER32(?,?), ref: 00493A7A
_wcslen.LIBCMT ref: 00493A8A
VariantClear.OLEAUT32(?), ref: 00493C1F

Part of subcall function 00480CDF: VariantInit.OLEAUT32(00000000), ref: 00480D1F
Part of subcall function 00480CDF: VariantCopy.OLEAUT32(?,?), ref: 00480D28
Part of subcall function 00480CDF: VariantClear.OLEAUT32(?), ref: 00480D34

Strings

Incorrect Parameter format, xrefs: 004939A6, 00493BA1
AUTOIT.ERROR, xrefs: 00493A80, 00493A85

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 18a323709df1a08a91d14f6770db883bf4267b3a705f769677533a0f88554c87
Instruction ID: 7abff49528f9ca478c0ed716ea95a9677b8116d4d684bb9f2884dc78bc125727
Opcode Fuzzy Hash: 18a323709df1a08a91d14f6770db883bf4267b3a705f769677533a0f88554c87
Instruction Fuzzy Hash: C6918F756083019FCB00DF25C49096ABBE5FF89319F14886EF88997351DB38EE45CB9A

Function 00494BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0047000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
Part of subcall function 0047000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
Part of subcall function 0047000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
Part of subcall function 0047000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00494C51
_wcslen.LIBCMT ref: 00494D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00494DCF
CoTaskMemFree.OLE32(?), ref: 00494DDA

Strings

NULL Pointer assignment, xrefs: 00494E23, 00494E52

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction ID: fb1e49d811127fe42ed8b59ade19fa264a589f5667d7a5bcdfb86709c6736fd3
Opcode Fuzzy Hash: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction Fuzzy Hash: F6912871D0021DAFDF14DFA5C890EEEBBB8BF48314F10856AE919A7241DB389A45CF64

Function 004A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004A2183
GetMenuItemCount.USER32(00000000), ref: 004A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004A21DD
_wcslen.LIBCMT ref: 004A2213
GetMenuItemID.USER32(?,?), ref: 004A224D
GetSubMenu.USER32(?,?), ref: 004A225B

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A22E3

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bd4a864fc8a48395ba5cea93e7a1b04479dc3bc3c3e1d109305ab684bd552db5
Instruction ID: 3ef26ecbc2bf3be259ad124bdf7b76e12a09e14050462215450b4c8d5e6bd8a2
Opcode Fuzzy Hash: bd4a864fc8a48395ba5cea93e7a1b04479dc3bc3c3e1d109305ab684bd552db5
Instruction Fuzzy Hash: A271E476E00205AFCB00DF69C981AAEB7F1EF59314F1084AAE816EB341D778ED419B94

Function 004A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01895690), ref: 004A7F37
IsWindowEnabled.USER32(01895690), ref: 004A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 004A801E
SendMessageW.USER32(01895690,000000B0,?,?), ref: 004A8051
IsDlgButtonChecked.USER32(?,?), ref: 004A8089
GetWindowLongW.USER32(01895690,000000EC), ref: 004A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004A80C3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ac810aa56579d711bffd5727c59aecd5d78ea40529efed37e7bb4a2455f98a37
Instruction ID: 9be6b24c02e54c8a316599344a4f6b112b7ea9401317f06a464e82e076ad4b32
Opcode Fuzzy Hash: ac810aa56579d711bffd5727c59aecd5d78ea40529efed37e7bb4a2455f98a37
Instruction Fuzzy Hash: 3A718C74608204AFEB319F54CC94FAB7BB5EF2B300F14405AF945973A1CB39A955DB18

Function 0047AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047AEF9
GetKeyboardState.USER32(?), ref: 0047AF0E
SetKeyboardState.USER32(?), ref: 0047AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0047AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0047AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0047AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0047B020

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction ID: d7e5f11b83c820724254a0923878970e609ff0f53a82abb492559a88144b401a
Opcode Fuzzy Hash: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction Fuzzy Hash: A251C1A06087D53DFB3682348849BFB7EA99B46304F08C58AE1DD955C2C39CA894D79A

Function 0047ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0047AD19
GetKeyboardState.USER32(?), ref: 0047AD2E
SetKeyboardState.USER32(?), ref: 0047AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0047ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0047ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0047AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0047AE38

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction ID: 0bbb919b1a8013fc562e5559fa36ea9a63a4bb6e9823816ce019a46bd98018ea
Opcode Fuzzy Hash: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction Fuzzy Hash: A951E6A15447D13DFB3283248C45BFF7E995B86300F08C88AE0DD469C2C298ECA8D75A

Function 0044542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00453CD6,?,?,?,?,?,?,?,?,00445BA3,?,?,00453CD6,?,?), ref: 00445470
__fassign.LIBCMT ref: 004454EB
__fassign.LIBCMT ref: 00445506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00453CD6,00000005,00000000,00000000), ref: 0044552C
WriteFile.KERNEL32(?,00453CD6,00000000,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 0044554B
WriteFile.KERNEL32(?,?,00000001,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 00445584

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction ID: 3a8be8e9041603259f37193ebde6c42580a139486c5335926ac659f1848a661e
Opcode Fuzzy Hash: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction Fuzzy Hash: 3751E770A00649AFEF11CFA8D885AEEBBF5EF09300F14412BF555E7292D7749A41CB68

Function 004910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00491112
WSAGetLastError.WSOCK32 ref: 00491121
WSAGetLastError.WSOCK32 ref: 004911C9
closesocket.WSOCK32(00000000), ref: 004911F9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction ID: 9765d20cc8d782846dd36171b63127cfe19ab6084df616b64c42d05d81aaa42c
Opcode Fuzzy Hash: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction Fuzzy Hash: 2341F731600105AFDB109F14C885BAABFE9FF45358F14806AF9159B3A1C778ED81CBE9

Function 0047CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

lstrcmpiW.KERNEL32(?,?), ref: 0047CF45
MoveFileW.KERNEL32(?,?), ref: 0047CF7F
_wcslen.LIBCMT ref: 0047D005
_wcslen.LIBCMT ref: 0047D01B
SHFileOperationW.SHELL32(?), ref: 0047D061

Strings

\*.*, xrefs: 0047CFF3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction ID: 0a0c3ffc89610867f98d1ace412faacb9624685888a867e35375af47558ba2bc
Opcode Fuzzy Hash: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction Fuzzy Hash: 8F415771D451185EDF12EFA5C9C1BDE77B8AF09384F1040EBE509EB141EA38A644CB58

Function 004A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A2F0B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction ID: 09217e66e949798d80aafdba6fd8cf359fa017d9f37003bb1065f243eb873d51
Opcode Fuzzy Hash: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction Fuzzy Hash: 9131F430645150AFDB21CF5CDDC4F6637E1EB6A710F150166F9048F2B2CBB5A880EB49

Function 00477726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0047778F
SysAllocString.OLEAUT32(00000000), ref: 00477792
SysAllocString.OLEAUT32(?), ref: 004777B0
SysFreeString.OLEAUT32(?), ref: 004777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004777DE
SysAllocString.OLEAUT32(?), ref: 004777EC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 180a47c1fcd1345fa85ea1b2ddfdbca2e0c41dcdb27b03723cd1d0709d5fde98
Instruction ID: 1907a6c854d28df787dbcbc206c865ff6f7debe4ef7c476506690dd4b1d39068
Opcode Fuzzy Hash: 180a47c1fcd1345fa85ea1b2ddfdbca2e0c41dcdb27b03723cd1d0709d5fde98
Instruction Fuzzy Hash: 6221B276604219AFDB14DFA8DC88CFB77ECEB093647408436F908DB250D674EC468B68

Function 004777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477868
SysAllocString.OLEAUT32(00000000), ref: 0047786B
SysAllocString.OLEAUT32 ref: 0047788C
SysFreeString.OLEAUT32 ref: 00477895
StringFromGUID2.OLE32(?,?,00000028), ref: 004778AF
SysAllocString.OLEAUT32(?), ref: 004778BD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6f093deb8ea1a3fb840f9c122b8b1c34a5fbf64ee85caf7d8e6f9edfaaaddf24
Instruction ID: 7b05e49c742221ac8033265a869f9c6274cf91dd368ec5728a39e532596ed145
Opcode Fuzzy Hash: 6f093deb8ea1a3fb840f9c122b8b1c34a5fbf64ee85caf7d8e6f9edfaaaddf24
Instruction Fuzzy Hash: 6D216231604114AFDB10AFA8DC88DBB7BECEB097607518126F919CB2A1D678DC45CB6D

Function 004804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048052E

Strings

nul, xrefs: 00480567

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction ID: 9a48228d481c7bd7bb189645c54176b79ad7b283bab6f5613cb5bd11d2649014
Opcode Fuzzy Hash: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction Fuzzy Hash: 95216D75610305AFDB60EF29DC44A9E7BE4AF45724F204E2AF8A1D62E0D7749948CF38

Function 004805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00480601

Strings

nul, xrefs: 00480639

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction ID: d726e9dae3363738ef992d0155cfbe510bd649dfe070012dba31d1431b556c8d
Opcode Fuzzy Hash: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction Fuzzy Hash: 39219135510305AFDB60AF698C44A5F77E4AF85720F200F2AE8A1E33E0E7749864CB28

Function 004A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004A4145

Strings

Msctls_Progress32, xrefs: 004A40E3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction ID: c9d7ba6ed7162725d3ced616448d1b5bbf84ed62faece9bae52646308c077414
Opcode Fuzzy Hash: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction Fuzzy Hash: 3311E6B11401197EEF108F64CC85EEB7F5DEF59398F004111B618A6150C776DC61DBA8

Function 0044D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044D7A3: _free.LIBCMT ref: 0044D7CC

_free.LIBCMT ref: 0044D82D

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D838
_free.LIBCMT ref: 0044D843
_free.LIBCMT ref: 0044D897
_free.LIBCMT ref: 0044D8A2
_free.LIBCMT ref: 0044D8AD
_free.LIBCMT ref: 0044D8B8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c377767b27301cc4aad4fa5b422dd55e7ddbb0a192f5bf0fcbcedc779b9b7479
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 671121B1A40B04ABF921BFB2CC47FCB7BDC6F04704F80482EB299A6692DA7DB5054654

Function 0047DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0047DA74
LoadStringW.USER32(00000000), ref: 0047DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0047DA91
LoadStringW.USER32(00000000), ref: 0047DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0047DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047DAB9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction ID: a1da462aa9e4c506d35bab5c7eaf66fe5d3b49265c8d1cd150d4c48e4bf2559b
Opcode Fuzzy Hash: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction Fuzzy Hash: 1B0186F69002087FE750DBA09DC9EE7376CEB09301F4044A6F70AE2041EA749E844F78

Function 0048096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0188E018,0188E018), ref: 0048097B
EnterCriticalSection.KERNEL32(0188DFF8,00000000), ref: 0048098D
TerminateThread.KERNEL32(?,000001F6), ref: 0048099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004809A9
CloseHandle.KERNEL32(?), ref: 004809B8
InterlockedExchange.KERNEL32(0188E018,000001F6), ref: 004809C8
LeaveCriticalSection.KERNEL32(0188DFF8), ref: 004809CF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction ID: 79c4584fa51b4a0e3771378881f3d9c5bd24afcb0b8ee26a218ab75ad849665e
Opcode Fuzzy Hash: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction Fuzzy Hash: EEF03172542502BBD7815F94EECCBDA7F35FF02702F401026F101508A0CB749465CF98

Function 00491C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00491DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00491DE1
WSAGetLastError.WSOCK32 ref: 00491DF2
htons.WSOCK32(?,?,?,?,?), ref: 00491EDB
inet_ntoa.WSOCK32(?), ref: 00491E8C

Part of subcall function 004739E8: _strlen.LIBCMT ref: 004739F2

Part of subcall function 00493224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0048EC0C), ref: 00493240

_strlen.LIBCMT ref: 00491F35

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 8eda8098d50db5123391732863e0495abea73ecd7c3a6f81f95e32a07de9ee62
Instruction ID: 3f16cbace0477e478eccabfe3b91f0a5ccb8d7982bd02e61bfee587c1a98ea02
Opcode Fuzzy Hash: 8eda8098d50db5123391732863e0495abea73ecd7c3a6f81f95e32a07de9ee62
Instruction Fuzzy Hash: 14B1F231204301AFC724EF25C885E6A7BE5AF84318F54856EF4564B3E2DB39ED42CB95

Function 00415D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00415D30
GetWindowRect.USER32(?,?), ref: 00415D71
ScreenToClient.USER32(?,?), ref: 00415D99
GetClientRect.USER32(?,?), ref: 00415ED7
GetWindowRect.USER32(?,?), ref: 00415EF8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction ID: 58ba3854c76b15d91ee6a1e7bd697758bdfb85b9c9fc66b20e6df40114c91a6d
Opcode Fuzzy Hash: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction Fuzzy Hash: B7B17B78A0074ADBDB10DFA9C4807EEB7F1FF94310F14841AE8A9D7250D738AA91DB59

Function 004401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004400D6
__allrem.LIBCMT ref: 004400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044010B
__allrem.LIBCMT ref: 00440122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440140

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a7bc3b624c1f6bf048d3cb5a78ab0417a2618118eb77044d913ecf2298be7943
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3681F572A007069BF720AE2ACC41B6B73E8AF55328F24453FF951D7781E779D9048B98

Function 004461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004382D9,004382D9,?,?,?,0044644F,00000001,00000001,8BE85006), ref: 00446258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044644F,00000001,00000001,8BE85006,?,?,?), ref: 004462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004463D8
__freea.LIBCMT ref: 004463E5

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

__freea.LIBCMT ref: 004463EE
__freea.LIBCMT ref: 00446413

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction ID: 08792b7ba3183a3762053034266875ea390e27941e422d4b1903377c80dd72d7
Opcode Fuzzy Hash: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction Fuzzy Hash: 48512472600256ABFB259F64CC81EAF7BA9EF46710F16426BFC05D6240DB3CDC40C66A

Function 0049BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BD25
RegCloseKey.ADVAPI32(00000000), ref: 0049BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0049BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049BDF3
RegCloseKey.ADVAPI32(?), ref: 0049BDFF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c7f86dccda7ea3094d5f0b995f66842e53fc10fdb02f9e4f1ca84e14ba7a64a4
Instruction ID: be57c2d582a13b8435e86927679a46912f523a4374cf047bf12102d224957fb4
Opcode Fuzzy Hash: c7f86dccda7ea3094d5f0b995f66842e53fc10fdb02f9e4f1ca84e14ba7a64a4
Instruction Fuzzy Hash: 8381DD30208200AFCB14DF20D884E6ABBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0046F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0046F7B9
SysAllocString.OLEAUT32(00000001), ref: 0046F860
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F889
VariantClear.OLEAUT32(0046FA64), ref: 0046F8AD
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F8B1
VariantClear.OLEAUT32(?), ref: 0046F8BB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4808cb304ed7bdbbece158bd611d0ed39eeae6a7c303c3986544d899015ef101
Instruction ID: 39739ae8b2f115f53030ea3b63a812cd6793bdd48726e099c0b1ea6ef1983e18
Opcode Fuzzy Hash: 4808cb304ed7bdbbece158bd611d0ed39eeae6a7c303c3986544d899015ef101
Instruction Fuzzy Hash: EC51E971610310BACF10AB66E895B29B3A4EF45314F20447BE946DF291FB789C49C79F

Function 0048910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004894E5
_wcslen.LIBCMT ref: 00489506
_wcslen.LIBCMT ref: 0048952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00489585

Strings

X, xrefs: 00489412

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c6532960a45dfe6d31e17d0884af780df3feb3e68e8c1de0a6656944d00b76fb
Instruction ID: f7a77bbc4ea995dcc8ce3c6660a8f1fb99c9f336fc6429c5337dcca31ac4c31c
Opcode Fuzzy Hash: c6532960a45dfe6d31e17d0884af780df3feb3e68e8c1de0a6656944d00b76fb
Instruction Fuzzy Hash: 29E1B6315047009FD714EF25C881AAEB7E1BF85318F08896EF8999B391DB34DD45CB99

Function 0042920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

BeginPaint.USER32(?,?,?), ref: 00429241
GetWindowRect.USER32(?,?), ref: 004292A5
ScreenToClient.USER32(?,?), ref: 004292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004292D3
EndPaint.USER32(?,?,?,?,?), ref: 00429321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004671EA

Part of subcall function 00429339: BeginPath.GDI32(00000000), ref: 00429357

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction ID: 6034aaa4e55575bdf0aa3a0fa7d2e1413272dd3e658d1a97844b9e5c3fc0697a
Opcode Fuzzy Hash: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction Fuzzy Hash: 8141A170204210AFD710DF25DCC4FBA7BA8EF4A724F04066AF9548B2B2D7389C45DB6A

Function 004807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0048080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00480847
EnterCriticalSection.KERNEL32(?), ref: 00480863
LeaveCriticalSection.KERNEL32(?), ref: 004808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00480921

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6e713bb872c64b4501b20af6c13899468374cf63acecf63f326dd49751d1e5f2
Instruction ID: 23546aaab79aade105d2a92eb994ff35ddc13e6bf4c3c2ecd305efc941eeff80
Opcode Fuzzy Hash: 6e713bb872c64b4501b20af6c13899468374cf63acecf63f326dd49751d1e5f2
Instruction Fuzzy Hash: A0418B71A00205EBDF15AF54DC85AAA7778FF04304F5044BAED00AA297DB34DE68DBA8

Function 004A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0046F3AB,00000000,?,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 004A824C
EnableWindow.USER32(?,00000000), ref: 004A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004A82D1
ShowWindow.USER32(?,00000004), ref: 004A82E5
EnableWindow.USER32(?,00000001), ref: 004A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004A832F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction ID: 4885e7855455d33656b92683b48d2dc7f613daad38af60fa9af44eff188f5a09
Opcode Fuzzy Hash: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction Fuzzy Hash: 5D418C75601644AFDF21CF15D8D9BA57BE0FB1B714F1801AAEA484F2B3CB36A841CB48

Function 00474C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00474C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00474CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00474CEA
_wcslen.LIBCMT ref: 00474D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00474D10
_wcsstr.LIBVCRUNTIME ref: 00474D1A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: caf43dc33dc1fd34708f52c5e663b9b6fa67b8b181a66592fcc0e2301e568c09
Instruction ID: 41177ba51f8c10e7beae0a095ce292d86f1b12f90b2af649872799cd8941021b
Opcode Fuzzy Hash: caf43dc33dc1fd34708f52c5e663b9b6fa67b8b181a66592fcc0e2301e568c09
Instruction Fuzzy Hash: CC21FF712041107BE7259B35AD45EBB7F9CDF85750F11807FF809CA151DF69DC0196A4

Function 0048581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

_wcslen.LIBCMT ref: 0048587B
CoInitialize.OLE32(00000000), ref: 00485995
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 004859AE
CoUninitialize.OLE32 ref: 004859CC

Strings

.lnk, xrefs: 00485876, 004858C1, 00485985

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction ID: 1f241cee7ad67021fafe78226c8e2e1a15611d7450086d2c0c520245b3ce15a1
Opcode Fuzzy Hash: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction Fuzzy Hash: CFD144716046019FC714EF25C480A6EBBE2FF89718F14885EF8899B361D739EC45CB9A

Function 0047175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
Part of subcall function 00470FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
Part of subcall function 00470FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
Part of subcall function 00470FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

GetLengthSid.ADVAPI32(?,00000000,00471335), ref: 004717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004717BA
HeapAlloc.KERNEL32(00000000), ref: 004717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004717DA
GetProcessHeap.KERNEL32(00000000,00000000,00471335), ref: 004717EE
HeapFree.KERNEL32(00000000), ref: 004717F5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction ID: 39f37885331c193b6c0bd358c72011c24584806004971767b5060491a8fac03d
Opcode Fuzzy Hash: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction Fuzzy Hash: 8D118E71601205FFDB189FA8CC89BEFBBA9EB46355F10802AF44597220D739A944CF68

Function 004714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00471506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00471515
CloseHandle.KERNEL32(00000004), ref: 00471520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00471563

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction ID: 2f1594f55a7c8cb2294521a8c34156db9a8aa7a81e0dec2a4c56a20469988dd3
Opcode Fuzzy Hash: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction Fuzzy Hash: 9011267650020ABBDF118FA8DE89BDF7BA9EF49744F048025FA09A2160C3758E65DB64

Function 00433382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00433379,00432FE5), ref: 00433390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004333B7
SetLastError.KERNEL32(00000000,?,00433379,00432FE5), ref: 00433409

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 94ba2cdf7e45a0e4205e7e9fe41f9b0dedcb44446320dd45022dafe77fe0749f
Instruction ID: ee87cfb10787d4b11fea635c66c6473afc9bf668c8963e6ba6ff383981fa8817
Opcode Fuzzy Hash: 94ba2cdf7e45a0e4205e7e9fe41f9b0dedcb44446320dd45022dafe77fe0749f
Instruction Fuzzy Hash: 7A01F53220A312BEAA252FB66CC66576B54DB1D77BF20923FF810812F1EF194D01914C

Function 00442D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00445686,00453CD6,?,00000000,?,00445B6A,?,?,?,?,?,0043E6D1,?,004D8A48), ref: 00442D78
_free.LIBCMT ref: 00442DAB
_free.LIBCMT ref: 00442DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DEC
_abort.LIBCMT ref: 00442DF2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction ID: da92441ee169492da4535394740f22c8a52c034306245e407036841f70511c34
Opcode Fuzzy Hash: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction Fuzzy Hash: AEF02DB194590137F65237367E46F5F2A55AFC2765F64002FF824922D2DEFC8801426C

Function 004A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004A8A70
LineTo.GDI32(?,00000000,00000003), ref: 004A8A80
EndPath.GDI32(?), ref: 004A8A90
StrokePath.GDI32(?), ref: 004A8AA0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction ID: 2763b2413425744688e43200f531a1f45c9e2f9b88bac5330b09e51f8288fde3
Opcode Fuzzy Hash: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction Fuzzy Hash: B611177604414CFFEF129F90DC88EAA7FACEB09354F008026BA199A1A1C7719D55DFA4

Function 004751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00475218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00475229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00475230
ReleaseDC.USER32(00000000,00000000), ref: 00475238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0047524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00475261

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction ID: b478207ead9bded2994e5a75cdca39e5f22044c99e0cd918db43bcb14021a8ec
Opcode Fuzzy Hash: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction Fuzzy Hash: AF014475A00714BBEB109BA59C49A9EBFB9EB45751F044066FA04AB381D6709C01CFA4

Function 00411BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction ID: d493e9c988888cf1d66a9505dcfddd78373853669c9bcba617f077a56dc52d90
Opcode Fuzzy Hash: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction Fuzzy Hash: 880167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0047EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0047EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0047EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0047EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB75

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction ID: 9e055b19992bea128c1e96962202570f0e47ffc8bf24a53ce0b8b7c318cd5711
Opcode Fuzzy Hash: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction Fuzzy Hash: 3FF05472240158BBE7619B529C4DEEF3E7CEFCBB11F004169F601D1191DBA05A01CAB9

Function 00467439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00467452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00467469
GetWindowDC.USER32(?), ref: 00467475
GetPixel.GDI32(00000000,?,?), ref: 00467484
ReleaseDC.USER32(?,00000000), ref: 00467496
GetSysColor.USER32(00000005), ref: 004674B0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction ID: 37d12297833d4d9562e8c5ae27ae2f72ad7d91c848f1b1e770cf022df2df1e3b
Opcode Fuzzy Hash: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction Fuzzy Hash: 6A018B31500215FFEB909F64DD48BAA7FB5FB05311F500071F915A21A1CF311E42AB59

Function 00471874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047187F
UnloadUserProfile.USERENV(?,?), ref: 0047188B
CloseHandle.KERNEL32(?), ref: 00471894
CloseHandle.KERNEL32(?), ref: 0047189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004718A5
HeapFree.KERNEL32(00000000), ref: 004718AC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction ID: a6468c14aaad85d95ab4b43a71100f0c1fd1e9a74cc05d3d72b1e6cbacef8e77
Opcode Fuzzy Hash: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction Fuzzy Hash: 04E0E576204101BBDB416FA1ED4C90ABF79FF4AB22B108230F22581070CB329421DF58

Function 0041BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BEB3

Strings

D%N, xrefs: 0041BDED, 0041BD91, 0041BD1B
D%N, xrefs: 0041BE9A
D%N, xrefs: 0041BCA2
D%ND%N, xrefs: 0041BCA5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%N$D%N$D%N$D%ND%N
API String ID: 1385522511-2848982604
Opcode ID: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction ID: 6ea5914dde4d3614734cc7f24822dc5fde11845d43a37a4303ff65ac5b2307f6
Opcode Fuzzy Hash: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction Fuzzy Hash: 57916875A0020ADFCB18CF59C1906EAB7F1FF59310B24816ED941AB350E779AD81CBD8

Function 00497B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00497BFB

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Strings

Variable must be of type 'Object'., xrefs: 00497C3A
G, xrefs: 00497C7F
5, xrefs: 00497C78
+TF, xrefs: 00497E2E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TF$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4280218163
Opcode ID: f6a16fa33cb159536fb688e2cb3b970e101e5c7a7928e6385b4483ede6bdc62e
Instruction ID: dc8afd1bf4116c1208d511a716ebc4e0fe3f2365de9aa8903e19c7bac440db70
Opcode Fuzzy Hash: f6a16fa33cb159536fb688e2cb3b970e101e5c7a7928e6385b4483ede6bdc62e
Instruction Fuzzy Hash: 6C91AD70A14208EFCF04EF55D8919AEBBB1BF49304F14816EF8065B392DB79AE41CB59

Function 0047C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C6EE
_wcslen.LIBCMT ref: 0047C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0047C7CA

Strings

0, xrefs: 0047C6AF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6f2c06fcceb46ee5a417394521afe865c103c218ef31b31dc8b20b061f51f7b5
Instruction ID: 036c8139172a9f7fd1662064223204c19d98b54ff38c2ffca6a104d234804fbf
Opcode Fuzzy Hash: 6f2c06fcceb46ee5a417394521afe865c103c218ef31b31dc8b20b061f51f7b5
Instruction Fuzzy Hash: 4251E3716043019BD7189F29C8C5BEB77E4AF49314F04892FF999D32A1DB78D904CB5A

Function 0049AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0049AEA3

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetProcessId.KERNEL32(00000000), ref: 0049AF38
CloseHandle.KERNEL32(00000000), ref: 0049AF67

Strings

<, xrefs: 0049AE6B
@, xrefs: 0049AE72

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: da3861950a4e83546d7ae0c68ee95ccce28b5fe26f0bfd751639bb8b38d5d387
Instruction ID: 768865b3bdf31409f9d64233fa41ed74dc96dff1021e3930170bc98b8bc759db
Opcode Fuzzy Hash: da3861950a4e83546d7ae0c68ee95ccce28b5fe26f0bfd751639bb8b38d5d387
Instruction Fuzzy Hash: 4D714970A00615DFCF14DF55C484A9EBBF1BF08318F0484AAE81AAB751CB78ED95CB99

Function 0047719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00477206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0047723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0047724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004772CF

Strings

DllGetClassObject, xrefs: 00477242

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction ID: 78e40fe605dddce31242282e7b0a38f9ab9f1a9eb59d5bfeefa87fa2826868c2
Opcode Fuzzy Hash: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction Fuzzy Hash: 1A419D71A04204AFDB15CF54C884ADA7BA9EF44314F60C0AEFD099F20AD7B8D944CBA4

Function 004A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3E35
IsMenu.USER32(?), ref: 004A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3E92
DrawMenuBar.USER32 ref: 004A3EA5

Strings

0, xrefs: 004A3D89

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction ID: 358611fc54028fd19411c81743056fbcd683b987c2e189c7972843d632d761f0
Opcode Fuzzy Hash: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction Fuzzy Hash: 81415975A01209EFDB10DF50D884AABBBB5FF5A356F04412AF9059B350E734AE41CF54

Function 00471DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00471E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00471E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00471EA9

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Strings

ListBox, xrefs: 00471E25
ComboBox, xrefs: 00471DF0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: eab37a5b54cfa49451ef739c1846035ec58c4f7da949240ec79be3ba199361e7
Instruction ID: 76072e64cfff2d64756e7fc843cbb86739bdd03fa2d33123d0401edc891935ab
Opcode Fuzzy Hash: eab37a5b54cfa49451ef739c1846035ec58c4f7da949240ec79be3ba199361e7
Instruction Fuzzy Hash: 6B213771A00104BEDB14AB69DC56DFFB7B8DF42354B10812FF859A32E0DB3C4D4A8628

Function 004A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004A2F8D
LoadLibraryW.KERNEL32(?), ref: 004A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004A2FA9
DestroyWindow.USER32(?), ref: 004A2FB1

Strings

SysAnimate32, xrefs: 004A2F68

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction ID: 1b84eb1fdade81f0549b63b0f3455e8ea16a86318cb4c701d95909bb8856eeed
Opcode Fuzzy Hash: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction Fuzzy Hash: 5521C371200205AFEB108F68DD80FBB37BDEB6A368F10422AF950D6290D7B5DC51B768

Function 00434D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002), ref: 00434D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00434DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000), ref: 00434DC3

Strings

mscoree.dll, xrefs: 00434D86
CorExitProcess, xrefs: 00434D98

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction ID: 4a44dd46e48559abad93e14b117633f573e7f023cd2bac84df3a9d42d1da2fbb
Opcode Fuzzy Hash: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction Fuzzy Hash: E8F03134640208ABDB515F94DC49BDEBFE5EB48752F0001AAE805A2250CB745940DE98

Function 00414E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

Strings

kernel32.dll, xrefs: 00414E94
Wow64DisableWow64FsRedirection, xrefs: 00414EA8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction ID: 9388f1a29be9f88115b5940574dbe45d4e4491b1a4eb700cbc59b58498d1ec89
Opcode Fuzzy Hash: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction Fuzzy Hash: E8E0CD35B017229BD2711B257C58B9F6954AFC3F637050127FC04D2304DB68DD4148BD

Function 00414E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Strings

kernel32.dll, xrefs: 00414E5B
Wow64RevertWow64FsRedirection, xrefs: 00414E6E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction ID: 989c52f1e93b047bff59084ed21e506efb34e8f80c4f378a66b6b0d8b510ba05
Opcode Fuzzy Hash: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction Fuzzy Hash: ADD0C2356427226746621B247C18ECB2E18AFC3B213050223F800A2214CF29CD42C9EC

Function 00482947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482C05
DeleteFileW.KERNEL32(?), ref: 00482C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00482C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CC0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3e1163149c025d58843b5625dea454ceed2315e0d6cb4e0bf22621694f983a2a
Instruction ID: 5cf82a61d61d2dfd5d181f94456cb88ce852856a03885391282a198eab559881
Opcode Fuzzy Hash: 3e1163149c025d58843b5625dea454ceed2315e0d6cb4e0bf22621694f983a2a
Instruction Fuzzy Hash: 4DB17E72D01119ABDF11EFA5CD85EEEBB7CEF48304F0044ABF509A6141EB789A448F69

Function 0049A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0049A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0049A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0049A468
CloseHandle.KERNEL32(?), ref: 0049A63D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction ID: 9082ec479254e114fbc28b0797779e1aeb1a99a403012a6b58db033f1b30d769
Opcode Fuzzy Hash: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction Fuzzy Hash: 50A19371604300AFDB20DF15D885F2ABBE5AF44718F14882EF9999B3D2D7B4EC418B96

Function 0044BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BB7F

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction ID: 0a4b96cad64463c0c510b95a757c983b12f7399a9e43482ed5795104e8fce694
Opcode Fuzzy Hash: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction Fuzzy Hash: 4F51D871D00209AFEB10EF669CC19AEB7B8EF45314B1042AFE554E72A1EB74DD418BD8

Function 0047E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

lstrcmpiW.KERNEL32(?,?), ref: 0047E473
MoveFileW.KERNEL32(?,?), ref: 0047E4AC
_wcslen.LIBCMT ref: 0047E5EB
_wcslen.LIBCMT ref: 0047E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0047E650

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction ID: 4a7e949fc09f8578df0285f7f958b2dc41a442f31998295e87a4b7bfad6995a5
Opcode Fuzzy Hash: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction Fuzzy Hash: 8C516FB24083455BC724EBA1DC819DB73ECAF89344F004A6FE689D3151EF78A588876E

Function 0049B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0049BB63
RegCloseKey.ADVAPI32(?,?), ref: 0049BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0049BBB3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction ID: 5041afaf4b4e0da743bf7ef48ad0b16c2d0bc52f8bb74cfb1fbad5ef4f0e9427
Opcode Fuzzy Hash: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction Fuzzy Hash: B161D131208201AFC714DF14C990E6BBBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 00478BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478BCD
VariantClear.OLEAUT32 ref: 00478C3E
VariantClear.OLEAUT32 ref: 00478C9D
VariantClear.OLEAUT32(?), ref: 00478D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00478D3B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction ID: 70ca067523b154fdbb5e6de94d7b85697061bc555aadc03d714f56de2c1ba891
Opcode Fuzzy Hash: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction Fuzzy Hash: FC516DB5A00219DFCB10CF58D894AAABBF4FF8D314B15855AE909DB350D734E911CF94

Function 00488AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00488BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00488BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00488C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00488C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00488C5F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 265061e54bbd1ddac715d999542e6808f1f03752c43c496240c6187f250042ef
Instruction ID: a829c9f05553940ea5e42b33936484159c4767965be1b7d4bd357bd9017903e4
Opcode Fuzzy Hash: 265061e54bbd1ddac715d999542e6808f1f03752c43c496240c6187f250042ef
Instruction Fuzzy Hash: 6D515F35A00214AFCB01DF65C881AAEBBF5FF49318F08845DE849AB362DB35ED41CB94

Function 00498EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00498F40
GetProcAddress.KERNEL32(00000000,?), ref: 00498FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00498FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00499032
FreeLibrary.KERNEL32(00000000), ref: 00499052

Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00481043,?,7529E610), ref: 0042F6E6
Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0046FA64,00000000,00000000,?,?,00481043,?,7529E610,?,0046FA64), ref: 0042F70D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction ID: ba985ac36e7d70186bcf075020540c50bf7674d1c3f7e011078ac1edfa6f5ef5
Opcode Fuzzy Hash: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction Fuzzy Hash: 22512935600205DFCB11DF59C4948AEBBF1FF49358B0480AEE8169B362DB35ED86CB95

Function 004A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0048AB79,00000000,00000000), ref: 004A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004A6CC7

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction ID: 3b4f8a48d1fb26aceece9514bb38876a1b8233be03b8539f99eeaf058a13b111
Opcode Fuzzy Hash: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction Fuzzy Hash: 2841F635600114AFD724CF28CC84FA67FA5EB1B360F0A022AF955AB3E1C779ED41CA58

Function 00442051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004420C3
_free.LIBCMT ref: 004420E3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction ID: dbe4b12d1b5ef9a76a7b268ee01cd29a6b7b1667680eef61006dd1f4afb043e6
Opcode Fuzzy Hash: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction Fuzzy Hash: 56410472A002009FEB20DF79C981A5EB3F1EF88314F95416AF605EB352D6B5AD01CB84

Function 0042912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00429141
ScreenToClient.USER32(00000000,?), ref: 0042915E
GetAsyncKeyState.USER32(00000001), ref: 00429183
GetAsyncKeyState.USER32(00000002), ref: 0042919D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction ID: d07b7fb9b1cc10956d52b5274f51739ca756b7f87ede036128ea1593edfdff20
Opcode Fuzzy Hash: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction Fuzzy Hash: DB417D31A0821AAADB059F69D844AFEB774FB06324F20822BE425A23D0D7785D50CB96

Function 00483874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00483922
TranslateMessage.USER32(?), ref: 0048394B
DispatchMessageW.USER32(?), ref: 00483955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction ID: cfab3a0175811c045164ca863a3fe19fea1ccd759c791dfe665831cb9672692f
Opcode Fuzzy Hash: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction Fuzzy Hash: 4B31DAB09443819EEB35EF34D888B7B3BE8AB05B05F040D7BE452862A1D3FC9585CB19

Function 0048CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0048CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFF2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 98aec098887ba07bc22ddfb9a368c1993debbb0128ae7de484101cf3804d53d4
Instruction ID: 876457f0adcaf2424fbabab0cef010281955103ad9a08f2b8f0f95e5a748d9fa
Opcode Fuzzy Hash: 98aec098887ba07bc22ddfb9a368c1993debbb0128ae7de484101cf3804d53d4
Instruction Fuzzy Hash: 5C314171504205AFEB20EFA5D8C49AF7BF9EB15354B10486FF606D2280DB38AD459B68

Function 00471901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00471915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004719E2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction ID: b81f49960a7c1050747a43b0eeea243e6d0626db0cd380daa65a4b8b37457e6a
Opcode Fuzzy Hash: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction Fuzzy Hash: C931F6B1A00219EFCB10CFACCD98ADE3BB5EB05314F008226FA25A72E0C3749D45CB94

Function 004A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004A579D
_wcslen.LIBCMT ref: 004A57AF
_wcslen.LIBCMT ref: 004A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction ID: a68b5054da3947af00bb4884a75f7ad8ccd26a7aca2bd31704d276795f5bfeb5
Opcode Fuzzy Hash: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction Fuzzy Hash: 7C21D775900608DADB20DF60CD84AEE7B7CFF16324F104117F919EA280D7789985CF59

Function 00490930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00490951
GetForegroundWindow.USER32 ref: 00490968
GetDC.USER32(00000000), ref: 004909A4
GetPixel.GDI32(00000000,?,00000003), ref: 004909B0
ReleaseDC.USER32(00000000,00000003), ref: 004909E8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction ID: e348afaf92aaf7ff8b2808d734d348c12d10c30eb487fb869ddea32893235637
Opcode Fuzzy Hash: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction Fuzzy Hash: B421A175600204AFD704EF65C984AAEBBE9EF49704F00843EE84AA7362DB34AC45CB94

Function 0044CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CDE9

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044CE0F
_free.LIBCMT ref: 0044CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044CE31

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction ID: e5c4b19c28e31fe9e747232f6dac4d4b5fa34164c6cd0ee705155136c413902d
Opcode Fuzzy Hash: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction Fuzzy Hash: DB0175726026157F376116B76CC8D7BAD6DDAC7BA1329012AFD05C6201DF698D0291B8

Function 00429639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
SelectObject.GDI32(?,00000000), ref: 004296A2
BeginPath.GDI32(?), ref: 004296B9
SelectObject.GDI32(?,00000000), ref: 004296E2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction ID: 1dc2e6510d7a8b3376017f75bc0bbea1bcce5f88e2b3ab9b9b44a86e2b92b094
Opcode Fuzzy Hash: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction Fuzzy Hash: 1921A1B0A42355EBDB118F64EC88BAA3BA4BF11355F500236F4109A2B2D3785C81CF9C

Function 00475711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475726
_memcmp.LIBVCRUNTIME ref: 00475744
_memcmp.LIBVCRUNTIME ref: 00475757
_memcmp.LIBVCRUNTIME ref: 0047576F
_memcmp.LIBVCRUNTIME ref: 00475787

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction ID: 95fe706676b1af874f0c5f7b09a68588c1f1f1fbdab0b9d9e0dbd6ae1940ddaf
Opcode Fuzzy Hash: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction Fuzzy Hash: 200192A1641A09BAA20C55129D82FFB635C9B253A8F108037FD089EA41F7ADED1582AD

Function 00442DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6), ref: 00442DFD
_free.LIBCMT ref: 00442E32
_free.LIBCMT ref: 00442E59
SetLastError.KERNEL32(00000000,00411129), ref: 00442E66
SetLastError.KERNEL32(00000000,00411129), ref: 00442E6F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction ID: 2a8e50c9df9d9ed104c4451fdea57554a7bd7abfa23c90cdcfea427223f98d00
Opcode Fuzzy Hash: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction Fuzzy Hash: 7A01F97224560167F61267366E85D2F2659ABD27A97F5003FF825E2293EEFCCC01412C

Function 0047000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470070

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction ID: 23021f586f535801a659cad62ed450542fa43cbbbcdb01b6b7b344be3df9142e
Opcode Fuzzy Hash: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction Fuzzy Hash: D901A272601204FFDB505F68EC44BEA7EEDEF44762F148129F909D6210D779DD409BA4

Function 0047E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0047E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0047E9A5
Sleep.KERNEL32(00000000), ref: 0047E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0047E9B7
Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction ID: f2088184f57336d844a909f770ddc2b3d6f329e7bd0d8ac59f20cd0a270141e8
Opcode Fuzzy Hash: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction Fuzzy Hash: BA01A1B2D01529DBCF409FE6DD886DDBB78FF0E300F004296D601B2241CB384551CB69

Function 004710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction ID: 3f38b739c9eebb035901a3d6181a786c075046380bdc294c554717718219e434
Opcode Fuzzy Hash: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction Fuzzy Hash: CC011D79200205BFDB514FA9DC89AAB3F6EEF8A360B504425FA46D7360DA31DD009E64

Function 00470FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction ID: b8981c4fdc8285d3277d01006d97029e100e31809b1bdea7f56964640f9af566
Opcode Fuzzy Hash: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction Fuzzy Hash: F2F0A975200301ABDB210FA89C89F973FADEF8A762F104825FA09D6260DE70DC408A64

Function 00471014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction ID: 40e34e9eae8a88c544268f3db91f3f00edc97a0506d78080eabd363fde28ffe1
Opcode Fuzzy Hash: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction Fuzzy Hash: 0DF0A975200301ABDB211FA8EC88F973FADEF8A761F104425FA09E6260DE70D8408A64

Function 0048030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480324
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480331
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048033E
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048034B
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480358
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480365

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction ID: c32c7e71f5cdd539bc6d4072fb9e5749306e480631bf004e3a27d4ae3b5c44a9
Opcode Fuzzy Hash: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction Fuzzy Hash: 1101DC72800B019FCB30AF66D88080BFBF9BE602053058E3FD19252A30C3B4A948CF84

Function 0044D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D752

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D764
_free.LIBCMT ref: 0044D776
_free.LIBCMT ref: 0044D788
_free.LIBCMT ref: 0044D79A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction ID: 14dbad4606ffe41d2f073dcaad61d9b2f57bc155d9c8a2c59d83fd0eab05b2ef
Opcode Fuzzy Hash: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction Fuzzy Hash: 16F012B2A45205ABA621FB66FAC5C177BDDBB44715BD40C1BF048D7601C778FC80866C

Function 00475C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00475C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00475C6F
MessageBeep.USER32(00000000), ref: 00475C87
KillTimer.USER32(?,0000040A), ref: 00475CA3
EndDialog.USER32(?,00000001), ref: 00475CBD

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction ID: 9a317d90fb9fe38d13e78c233653d40680c15c65805b64baaf6f06db39f602f6
Opcode Fuzzy Hash: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction Fuzzy Hash: F3018630500B04AFFB215B10DD8EFE67BB8BB01B05F04456AA587A50E1DBF4A9898A99

Function 004422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004422BE

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 004422D0
_free.LIBCMT ref: 004422E3
_free.LIBCMT ref: 004422F4
_free.LIBCMT ref: 00442305

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction ID: ded007adef903f19d41836a550c5a512f8eca7a9e8d7194f03c9851f85b970ad
Opcode Fuzzy Hash: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction Fuzzy Hash: DCF054F45411919BAA12BF56BDC180D3B64F718761780056BF410EA372C7F91452EFEC

Function 004295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004295D4
StrokeAndFillPath.GDI32(?,?,004671F7,00000000,?,?,?), ref: 004295F0
SelectObject.GDI32(?,00000000), ref: 00429603
DeleteObject.GDI32 ref: 00429616
StrokePath.GDI32(?), ref: 00429631

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction ID: 95a409aef37bcee009baea42993923f6b71e8e16e567864d5747744f86aa7a26
Opcode Fuzzy Hash: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction Fuzzy Hash: 08F0AF7114A244EBDB164FA4ED8C7653FA1BB02322F408234F425591F3CB388991CF2C

Function 00440F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004410F9
__freea.LIBCMT ref: 00441117

Part of subcall function 00441537: _free.LIBCMT ref: 0044154F

Strings

a/p, xrefs: 004411DE
am/pm, xrefs: 0044117A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction ID: 0ceb46b2ee8850823f06aeb7929aa029d6cc207dcfd13acb96d393fe0527b033
Opcode Fuzzy Hash: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction Fuzzy Hash: 9BD1DE31A002069AFB249F68C845ABBB7B0FF05700F28415BE911ABB61D37D9DC1CB99

Function 004961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00496238

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Part of subcall function 0048359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4
Part of subcall function 0048359C: LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

x#N, xrefs: 0049633A
x#N, xrefs: 00496353
x#N, xrefs: 0049636F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#N$x#N$x#N
API String ID: 1072379062-56826683
Opcode ID: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction ID: c9ba9791fd84f5f4aa6aa16194e221c61a93dfe8eef98ed134441fb040390de9
Opcode Fuzzy Hash: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction Fuzzy Hash: C3C17F71A00105AFCF14EF99D890EBEBBB9EF48314F12806EE9059B251D778ED45CB98

Function 00445AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOA, xrefs: 00445BA8, 00445C6C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: JOA
API String ID: 0-4101436360
Opcode ID: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction ID: 81db98df509d698b7c7209a264c5ff66790e7bc3a0b2e1f92e08d4c7083a60d6
Opcode Fuzzy Hash: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction Fuzzy Hash: 4151C171D006099FEF209FA5C885FAFBBB4EF09314F14005BF405A7293D6799902CB6A

Function 00448A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00448B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00448B7A
__dosmaperr.LIBCMT ref: 00448B81

Strings

.C, xrefs: 00448A63

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .C
API String ID: 2434981716-1181961956
Opcode ID: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction ID: 876e3e89d12ec28d3a816206eda3b7418d01e9375f873fec0301dd9fe1d29aae
Opcode Fuzzy Hash: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction Fuzzy Hash: A5418E70604085AFFB249F24CC81A7E7FA5DB86304F2841AFF85497242DE799C53979C

Function 00472716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721D0,?,?,00000034,00000800,?,00000034), ref: 0047B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00472760

Part of subcall function 0047B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0047B3F8

Part of subcall function 0047B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0047B355
Part of subcall function 0047B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B365
Part of subcall function 0047B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0047281A

Strings

@, xrefs: 00472832

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction ID: ece7c4acca13ec0c699f4aa41f657afa398bf470d499fc4f00e7c5bbaa8e9516
Opcode Fuzzy Hash: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction Fuzzy Hash: AB413072900218AFDB10DFA4CD41BDEBBB8EF05304F00819AFA59B7181DB756E85CB95

Function 0044172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00441769
_free.LIBCMT ref: 00441834
_free.LIBCMT ref: 0044183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00441760, 00441767, 00441796, 004417CE

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction ID: e6daf98204c1486b4033c53dace1f45ae52d7552e79a54cd432265da8d768396
Opcode Fuzzy Hash: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction Fuzzy Hash: 4C318371A40258ABEB21DB9A9C81D9FBBFCEB85310B1441ABF504A7221D6744A80CB98

Function 0047C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0047C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0047C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004E1990,01895708), ref: 0047C395

Strings

0, xrefs: 0047C2DF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction ID: ca7b83f462996cfa4db5589584a919406778e3f4ac46951a50779401c90e84e1
Opcode Fuzzy Hash: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction Fuzzy Hash: 2E418F712043019FD720DF25D884B9ABBE8AB85324F14C61EFDA9972D1D778A904CB6A

Function 004A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ACC08,00000000,?,?,?,?), ref: 004A44AA
GetWindowLongW.USER32 ref: 004A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A44D7

Strings

SysTreeView32, xrefs: 004A447C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction ID: e45ae8497fde00ea699975e0baa6b1a08c5326ba50c8acc82a69c4faa1a0856d
Opcode Fuzzy Hash: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction Fuzzy Hash: A831B231200205AFDB208F78DC45BDB7BA9EB9A338F20472AF975922D0D7B8EC509754

Function 00476E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00476EED
VariantCopyInd.OLEAUT32(?,?), ref: 00476F08
VariantClear.OLEAUT32(?), ref: 00476F12

Strings

*jG, xrefs: 00476E8B, 00476E90, 00476EF8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jG
API String ID: 2173805711-3174124858
Opcode ID: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction ID: ca92d3ab91f30acc51170f67dcaca04aec4c3d6986c15e87d1a0a1d2b614d77a
Opcode Fuzzy Hash: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction Fuzzy Hash: 8F319071704606DBCB04AF65E8909FE3777EF45308B1144AAF90A4B2A1C7389952DBDD

Function 0049304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00493077,?,?), ref: 00493378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
_wcslen.LIBCMT ref: 0049309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00493106

Strings

255.255.255.255, xrefs: 00493095, 0049309A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction ID: 2309739ad176778b1fbb4edccff78af1228bb4c28be928dd8ee4c6289cc451b6
Opcode Fuzzy Hash: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction Fuzzy Hash: A331D5352002019FCF20DF69C486EAA7FE0EF56319F24806AE9158B3A2D779EE45C765

Function 004A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004A471A

Strings

msctls_updown32, xrefs: 004A4684

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction ID: 342302416842dbe5e8a820cf96fba1abf55ab34af325e8514b308ddfa1708659
Opcode Fuzzy Hash: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction Fuzzy Hash: CD2162B5601244AFDB10DF68DCC1DBB37ADEB9B398B04005AFA009B361DB74EC51CA64

Function 004795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047961D

Strings

#notrayicon, xrefs: 004795B7
#OnAutoItStartRegister, xrefs: 004795F3
#requireadmin, xrefs: 004795D9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 64dcfe73b405c8eb4813e3623093163506a3265835af3dd6e88bae5ae9de11da
Instruction ID: aa405bb422afbe7927a0bb2e7d602d9b8112f0a1fb63b39fa494f1d455cd9b62
Opcode Fuzzy Hash: 64dcfe73b405c8eb4813e3623093163506a3265835af3dd6e88bae5ae9de11da
Instruction Fuzzy Hash: 06212E7210462166D331AB269C02FF773E89F65314F54802FF94D97241EB5DAD45C29D

Function 004A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004A3876

Strings

Listbox, xrefs: 004A380F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction ID: bdf332832c4d3c633d1f203710be3d44e1e59fcd21e73d3262a835f34456e84d
Opcode Fuzzy Hash: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction Fuzzy Hash: 862107726001187BEF11DF54CC80FBB376EEF9A754F10812AF9009B290D679DC518794

Function 004849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00484A5C
SetErrorMode.KERNEL32(00000000,?,?,004ACC08), ref: 00484AD0

Strings

%lu, xrefs: 00484A6F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction ID: c4e3ee8dfc34bc2c52ffc4d8305aea6d59b9c2d21503e4231c32b609fe6cbba1
Opcode Fuzzy Hash: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction Fuzzy Hash: 0D318075A00109AFD710DF54C885EAE7BF8EF49308F1480AAE809DB352DB75ED45CB65

Function 004A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004A4271

Strings

msctls_trackbar32, xrefs: 004A4226

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction ID: d34ff235fa9ffbdd703f64f95d5d4ad6ceb2d31c266f3ebcbd5deaee30c8d840
Opcode Fuzzy Hash: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction Fuzzy Hash: 6A113A322402087EEF205F25CC45FAB3BACEFD6764F010126FA40E6190D2B5DC518B18

Function 00472F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Part of subcall function 00472DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
Part of subcall function 00472DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
Part of subcall function 00472DA7: GetCurrentThreadId.KERNEL32 ref: 00472DDD
Part of subcall function 00472DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

GetFocus.USER32 ref: 00472F78

Part of subcall function 00472DEE: GetParent.USER32(00000000), ref: 00472DF9

GetClassNameW.USER32(?,?,00000100), ref: 00472FC3
EnumChildWindows.USER32(?,0047303B), ref: 00472FEB

Strings

%s%d, xrefs: 00472FFF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction ID: 7cba6459d84f60ebceb6e958ef49e9b8f75ae700e1641ecb818d52fbb0678e4f
Opcode Fuzzy Hash: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction Fuzzy Hash: 0911E4B16002056BCF50BF718CC5FEE376AAF84308F04807BF90D9B252DE7899499B68

Function 004A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58EE
DrawMenuBar.USER32(?), ref: 004A58FD

Strings

0, xrefs: 004A588F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 09c96403d485ad9761e12f6e50c2bdb1dd3a95b975ccce58339d0c9bcef00b1a
Instruction ID: 6cce3f63e860bbd74be7087d248058969e21914c936b1b22677b24cb85b8bc67
Opcode Fuzzy Hash: 09c96403d485ad9761e12f6e50c2bdb1dd3a95b975ccce58339d0c9bcef00b1a
Instruction Fuzzy Hash: 68018471500218EFDB519F11EC44BAFBBB8FF46360F1080AAF849DA251DB348A84DF25

Function 0046D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0046D3BF
FreeLibrary.KERNEL32 ref: 0046D3E5

Strings

X64, xrefs: 0046D2A8
GetSystemWow64DirectoryW, xrefs: 0046D3B9

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction ID: eb3fd32eb4a23ec234452eacef63ff6ae43b5d4cafe3d40ef5ada43a0b1292ec
Opcode Fuzzy Hash: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction Fuzzy Hash: C3F055B1F05A208BD7B102115CB4AAA3720AF11702B98C1A7EC02E9308F72CCC818ADF

Function 0047007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction ID: 30904cbb3f1f7f3b0e0d26bc88f3c04b36d29190e2af97f3209cc02610a4562d
Opcode Fuzzy Hash: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction Fuzzy Hash: 64C16C75A0120AEFDB14CFA4C894EAEB7B5FF48304F208599E909EB251D735ED42CB94

Function 0049342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00493459
CoUninitialize.OLE32 ref: 00493463
VariantInit.OLEAUT32(?), ref: 0049346E
VariantClear.OLEAUT32(?), ref: 0049371B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3983d4b5174a8f8509d461ca3e6607f8c9bae26427699d4236e4aa1a94cb39a0
Instruction ID: 35e2ece6c6adc5468c17c6a0e55e15e1f88f114d03215012f1905c35e75a5f7d
Opcode Fuzzy Hash: 3983d4b5174a8f8509d461ca3e6607f8c9bae26427699d4236e4aa1a94cb39a0
Instruction Fuzzy Hash: 4DA16E75204300AFCB10DF25C485A5ABBE5FF89719F04885EF94A9B362DB38ED41CB5A

Function 00470436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 004705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 00470608
CLSIDFromProgID.OLE32(?,?,00000000,004ACC40,000000FF,?,00000000,00000800,00000000,?,004AFC08,?), ref: 0047062D
_memcmp.LIBVCRUNTIME ref: 0047064E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction ID: 6666d4d76a5eabef93e750efca45d4cb71ebea393a0ee7ec06c185f2e6e5e93f
Opcode Fuzzy Hash: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction Fuzzy Hash: CB813971A00109EFCB04DF94C984EEEB7B9FF89315F208159F506AB250DB75AE06CB64

Function 0049A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0049A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0049A6BA

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Process32NextW.KERNEL32(00000000,?), ref: 0049A79C
CloseHandle.KERNEL32(00000000), ref: 0049A7AB

Part of subcall function 0042CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00453303,?), ref: 0042CE8A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d3bc3f1d386050d24e0a5202824667c5ec072c02e6a1227486468522d91f1b14
Instruction ID: df926239ac5d77136032d197bdc39203963052ccd754074aa1f0b18be269c5cb
Opcode Fuzzy Hash: d3bc3f1d386050d24e0a5202824667c5ec072c02e6a1227486468522d91f1b14
Instruction Fuzzy Hash: 0A518171508300AFC710EF25C886A5BBBF8FF89758F40492EF58597251EB34E944CB96

Function 00451391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004514C0

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction ID: 9b124a8551b40aada1c48fc126a7b84a76fc1153a0df3f8410306c87279c5abc
Opcode Fuzzy Hash: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction Fuzzy Hash: 52414131900100A7EB256BBA8C45B6F3AA4EF47379F14126BFC14D62F3E67C48495269

Function 004A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A62E2
ScreenToClient.USER32(?,?), ref: 004A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004A6382

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction ID: 11bd6ad433e23e12338e730dfdeedd3a83641ac58d97fca0e4aa8655945ee193
Opcode Fuzzy Hash: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction Fuzzy Hash: 77515C75A00209EFCF10DF68D880AAE7BB5EB66360F15816AF8159B3A1D734ED81CB54

Function 00491AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00491AFD
WSAGetLastError.WSOCK32 ref: 00491B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00491B8A
WSAGetLastError.WSOCK32 ref: 00491B94

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction ID: 5838e8bb0a7c4d6a5d4fc4d59643e5c8a4caa6b83900d64a435e38f72263d2ed
Opcode Fuzzy Hash: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction Fuzzy Hash: B041E334600201AFDB20AF25C886F667BE5AB44708F54C45DF91A8F3D3D77AED828B94

Function 0044B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction ID: dd47dff0d69632b1fc069f2b275dbdf994a5d5a1e7ba879f1174c8a7cf57d6d5
Opcode Fuzzy Hash: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction Fuzzy Hash: 21411571A00704BFE7249F39CC42BAABBA9EB88714F10852FF555DB292D379E90187D4

Function 004856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00485783
GetLastError.KERNEL32(?,00000000), ref: 004857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004857FA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction ID: 1e1c1169006bbf6b6143515db2d0c20cab159cc2f3de8a0992a1fa34eb0b59a9
Opcode Fuzzy Hash: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction Fuzzy Hash: 15414135600610DFCB11EF15C484A5EBBF2EF49318B18C89AE84A5B361CB38FD41CB95

Function 0044D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00436D71,00000000,00000000,004382D9,?,004382D9,?,00000001,00436D71,?,00000001,004382D9,004382D9), ref: 0044D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0044D9AB
__freea.LIBCMT ref: 0044D9B4

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction ID: e8bde2569c75b5926976a0984e8d8c2a6f801f9ae542add750c0619c37f1fac0
Opcode Fuzzy Hash: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction Fuzzy Hash: 9231CDB2A0020AABEF249F65DC81EAF7BA5EF41710F05016AFC04D6290EB39CD50CB94

Function 004A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004A5352
GetWindowLongW.USER32(?,000000F0), ref: 004A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A53A8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction ID: 5e8ae4d23a4f02b47f2ee34d72c6edb614801b4ce34adc7abb237c8f3a33946b
Opcode Fuzzy Hash: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction Fuzzy Hash: F231E430A55A08FFEF309E14DE45BEA3761ABA6390F584113FE11962E1C7B89D40DB4A

Function 0047AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0047ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0047AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0047AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0047ACC6

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction ID: 9b7cd69b858423b3bd1728dbb7ac65d4c7f4aa9068d8a61e12e4371e9a0aec77
Opcode Fuzzy Hash: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction Fuzzy Hash: E031F830A006187FEF36CB658809BFF7BA5ABC5310F04C21BE489522D1C37D89A5879B

Function 004A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004A769A
GetWindowRect.USER32(?,?), ref: 004A7710
PtInRect.USER32(?,?,004A8B89), ref: 004A7720
MessageBeep.USER32(00000000), ref: 004A778C

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction ID: 281c847e5ef4d4bb3d3a3a44e00c7075ba0e0596c4a0cda96c2079c6931409f3
Opcode Fuzzy Hash: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction Fuzzy Hash: 0D419F78605254DFCB21CF58CC94EAA77F4BB5A314F1541AAE4149B362C738B941CF98

Function 004A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004A16EB

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

GetCaretPos.USER32(?), ref: 004A16FF
ClientToScreen.USER32(00000000,?), ref: 004A174C
GetForegroundWindow.USER32 ref: 004A1752

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction ID: 7f96c364aa62962e8546d8dc61a75a9c9848e96c4e7ba32d5638bef45d9228bd
Opcode Fuzzy Hash: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction Fuzzy Hash: 73313D75D00249AFC700EFAAC8C18EEBBF9EF49308B5080AAE415E7251D635DE45CBA4

Function 004A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetCursorPos.USER32(?), ref: 004A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00467711,?,?,?,?,?), ref: 004A9016
GetCursorPos.USER32(?), ref: 004A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00467711,?,?,?), ref: 004A9094

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction ID: 935d4800c79c01b11d80747103308528a3e2cbb5f504a3cd88e748a6b9cab65d
Opcode Fuzzy Hash: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction Fuzzy Hash: 4B219F35604018FFCB258F94D898EEB7BB9EB4A390F14806AF9054B262C3399D90DB64

Function 0047D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ACB68), ref: 0047D2FB
GetLastError.KERNEL32 ref: 0047D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0047D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ACB68), ref: 0047D376

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction ID: a93264fde7d96f01c7be7b17843a0f24cf62a776a4c71e9b68568ef6115461f8
Opcode Fuzzy Hash: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction Fuzzy Hash: E72194709142019F8700DF24C8814EB77F4AE56368F108A1FF899C72A1DB35DD46CB9B

Function 00471571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
Part of subcall function 00471014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
Part of subcall function 00471014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
Part of subcall function 00471014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004715BE
_memcmp.LIBVCRUNTIME ref: 004715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00471617
HeapFree.KERNEL32(00000000), ref: 0047161E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction ID: d9dfff3dabab45ceb8714f1668bca5812e270d89e350ba0174a533abbe99d602
Opcode Fuzzy Hash: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction Fuzzy Hash: 2921AE71E00108EFDF04DFA8C944BEFB7B8EF45344F18845AE445AB250E734AA04DB94

Function 004A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004A2840

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction ID: db56252bdc6e01d2df789c08ab52efa053a809606eb9348d55a1efcbf3e682fd
Opcode Fuzzy Hash: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction Fuzzy Hash: 6A212735204510BFD7149B18C944FAA7B95EF56328F14421EF4268B2D2C7B9FC82C7D4

Function 004778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00478D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478D8C
Part of subcall function 00478D7D: lstrcpyW.KERNEL32(00000000,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00478DB2
Part of subcall function 00478D7D: lstrcmpiW.KERNEL32(00000000,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477923
lstrcpyW.KERNEL32(00000000,?,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477984

Strings

cdecl, xrefs: 0047797B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e6ce1e76948cc15f4165c043d0b2b774ffefbd0a7f6723b23e9d76211a45fa76
Instruction ID: f817beb4e83c21496eaef826c97270e96265de037aa7a0ba54ec5e5f834742d1
Opcode Fuzzy Hash: e6ce1e76948cc15f4165c043d0b2b774ffefbd0a7f6723b23e9d76211a45fa76
Instruction Fuzzy Hash: 961106BA201201ABDB259F35D844EBB77A9FF95354B90802FF90AC7364EB359801C799

Function 004A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0048B7AD,00000000), ref: 004A7D6B

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction ID: 2ff3fdd6f282687191af6c6a1e9b2827e79318cc6051e5ebe701b8a412397121
Opcode Fuzzy Hash: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction Fuzzy Hash: 2711D271604664AFCB209F28CC44EAA3BA4BF46360B154325F835CB2F0D7349D11CB48

Function 004A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004A56BB
_wcslen.LIBCMT ref: 004A56CD
_wcslen.LIBCMT ref: 004A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction ID: 93121e1a561321c9f23ce53c36f06316e67adc567e77f579c6c7e89628b9b1c7
Opcode Fuzzy Hash: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction Fuzzy Hash: 8111E47160060496DB20DF618D81AEF377CBF26364F10402BF905D6181EB789984CB69

Function 00441D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction ID: 9c390f9af195b6f70818d3e09ce3d1c66d0ad593979d0d7e4b33f55b196544e3
Opcode Fuzzy Hash: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction Fuzzy Hash: C101A2F2B056163EF62116796CC0F27661DDF423B8B34032BF531512E2DB78AC814178

Function 00471A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00471A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A8A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction ID: c9cefd1887674e26659ef604a5fb5134bf2a5a4f64c1251a1edf0bb595c37f8d
Opcode Fuzzy Hash: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction Fuzzy Hash: 51113C3AD01219FFEB10DBA9CD85FEDBB78EB04750F204092E604B7290D6716E50DB98

Function 0047E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0047E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0047E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0047E24D

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction ID: b6a6a592197608a640e563703b85459fdc524964f18a76730567629e4bcabd6a
Opcode Fuzzy Hash: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction Fuzzy Hash: 9C110876A04254BBD7019BA99C45ADF7FAC9B49310F1083A6F818E7292D6748D008BA8

Function 0043D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0043CFF9,00000000,00000004,00000000), ref: 0043D218
GetLastError.KERNEL32 ref: 0043D224
__dosmaperr.LIBCMT ref: 0043D22B
ResumeThread.KERNEL32(00000000), ref: 0043D249

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction ID: 51834051b16dd18420ce9ff13f306668a1988137b665389d80b9f0c1e11753a7
Opcode Fuzzy Hash: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction Fuzzy Hash: 94012632C04104BBDB105BA6EC05BAF7E68DF8A334F20126AF824921D0CF75C805C7A9

Function 004A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetClientRect.USER32(?,?), ref: 004A9F31
GetCursorPos.USER32(?), ref: 004A9F3B
ScreenToClient.USER32(?,?), ref: 004A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004A9F7A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b2dec96a9606d0f0bf73f7233cd8aa875d21695e8f204e159abdd8693184b314
Instruction ID: 98fec1e1e37514280c8ac5d622cc9169f06ebb00828e5fc2c4889cfb7e3194a3
Opcode Fuzzy Hash: b2dec96a9606d0f0bf73f7233cd8aa875d21695e8f204e159abdd8693184b314
Instruction Fuzzy Hash: D6113632A0015AAFDF14DF69D8859EE7BB8FB0A315F000466F901E7151D338BE81CBA9

Function 0041600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
GetStockObject.GDI32(00000011), ref: 00416060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction ID: ba29f56646e72325f0e0a788eb15f6c67daab6a637d514e49be6388f97691490
Opcode Fuzzy Hash: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction Fuzzy Hash: DE116172501549BFEF528FA49C84EEB7F69EF0D354F050116FA1456110D736DCA0DBA4

Function 00433B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00433B56

Part of subcall function 00433AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00433AD2
Part of subcall function 00433AA3: ___AdjustPointer.LIBCMT ref: 00433AED

_UnwindNestedFrames.LIBCMT ref: 00433B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00433B7C
CallCatchBlock.LIBVCRUNTIME ref: 00433BA4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 68d22ebf473e438da906f1ad14b5d256cb04ca95e965f870ed07a3eb120ae729
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 85012932100148BBDF126E96CC42EEB7B79EF9C759F04501AFE4866121C73AE961DBA4

Function 00443073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004113C6,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue), ref: 004430A5
GetLastError.KERNEL32(?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000,00000364,?,00442E46), ref: 004430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000), ref: 004430BF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction ID: 20370f9e5c0777ce75d17edaff14bb9f75e7d6c47a18ce68a7c3708be8396776
Opcode Fuzzy Hash: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction Fuzzy Hash: 29012B32741222ABEB314F789C84A577F98AF06F62B200731F906E7244C725D901C6E8

Function 00477464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0047747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00477497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004774CA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction ID: 5d4b0b2c14d54208af231344c9bde40a44e53b31e1d546870ab09c4f8815ee54
Opcode Fuzzy Hash: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction Fuzzy Hash: 5111ADB1209310ABE7208F24DD48FE27FFCEB04B00F50C56AE61AD6191D7B4E904DBA9

Function 0047B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B126

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction ID: 48d7e74df17b6057cc97bd64d346efdc4ee027ff9fb537a47fbbac906ef5a239
Opcode Fuzzy Hash: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction Fuzzy Hash: 86117C30E01528D7CF00AFA4EAA87EEBF78FF0A311F408096D945B2241CB3445518B99

Function 004A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A7E33
ScreenToClient.USER32(?,?), ref: 004A7E4B
ScreenToClient.USER32(?,?), ref: 004A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004A7E8A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4560ed03012a49d04bd550790c41d4b3ef3fa89bbf29b696fb577c13db41c4e
Instruction ID: 61f820cc36747897e45c3b5af39981a38d50400be079b78ae5df7258617dea20
Opcode Fuzzy Hash: f4560ed03012a49d04bd550790c41d4b3ef3fa89bbf29b696fb577c13db41c4e
Instruction Fuzzy Hash: 2A1153B9D0020AAFDB51CF98C884AEEBBF9FF19310F509066E915E3210D735AA54CF94

Function 00472DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
GetCurrentThreadId.KERNEL32 ref: 00472DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction ID: b87f01c5f10060a412492a9b1b870ec1c2e0f909fe0a99c32d192a9ea3c82a0e
Opcode Fuzzy Hash: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction Fuzzy Hash: 3AE092B16412247BD7705B729C4DFEB3E6CEF43BA1F004026F109D10809AE4C841C6B4

Function 004A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004A8887
LineTo.GDI32(?,?,?), ref: 004A8894
EndPath.GDI32(?), ref: 004A88A4
StrokePath.GDI32(?), ref: 004A88B2

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction ID: 9556261b7eb524f335d09c0165836ef93800bf7b0f5930650f5c2abbaad27742
Opcode Fuzzy Hash: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction Fuzzy Hash: 7CF09A36045258FADB122F94AC4DFCE3F59AF16310F408015FA01650E2CB780511CFAD

Function 004298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004298CC
SetTextColor.GDI32(?,?), ref: 004298D6
SetBkMode.GDI32(?,00000001), ref: 004298E9
GetStockObject.GDI32(00000005), ref: 004298F1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction ID: ba928036872f7c2ef7d45635bf9db5963d2cb7e7167ecdbaa58ff43519a9b47b
Opcode Fuzzy Hash: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction Fuzzy Hash: 2BE06D31344280BADB615B74BC49BE93F60EB1333AF04822AF6FA581E1C77646809F15

Function 0047162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00471634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004711D9), ref: 00471648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047164F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction ID: fc1552233b3613aa2d6fdab28cc4cfd17764255a119102564ca2bce572a92ddd
Opcode Fuzzy Hash: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction Fuzzy Hash: E9E08632601211DBD7601FE49D4DBC73F7CAF56791F148829F646D9090D6384540C798

Function 0046D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D858
GetDC.USER32(00000000), ref: 0046D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction ID: 5cd352858558942da78eaa85d93ec0daa9dc37f8ad9d541f3266bd3bf05a2fe0
Opcode Fuzzy Hash: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction Fuzzy Hash: A9E01270D00204DFCB819FA1D84C6ADBFB1FB09310F108019E806E7350C73885429F49

Function 0046D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D86C
GetDC.USER32(00000000), ref: 0046D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction ID: 825e38040d51ddbf8777e13db2eadb6bd739364f02a09a82e73b8fb59e16a5ab
Opcode Fuzzy Hash: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction Fuzzy Hash: 04E01A70C00204DFCB819FA0D8886ADBFB1BB08310B108019E80AE7350CB3899029F48

Function 00484D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00484ED4

Strings

*, xrefs: 00484E10
LPT, xrefs: 00484DFB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 651b0672a41a13d61d4a69e81e3b628ef7213c33d5a8a01f811f93e03d678a97
Instruction ID: 1d94090c200c6dc0b7fed4ee2d11222909032772910f6fb92928970a3701b455
Opcode Fuzzy Hash: 651b0672a41a13d61d4a69e81e3b628ef7213c33d5a8a01f811f93e03d678a97
Instruction Fuzzy Hash: 46916075A002059FCB14EF58C484EAEBBF1AF84308F15849EE90A9F352D739ED85CB95

Function 0043E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043E30D

Strings

pow, xrefs: 0043E2E5, 0043E302

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction ID: c04d28ee5ea6f7961f791f7f5e75919c2dd3efe30ca746397c05a6efdeb3ef80
Opcode Fuzzy Hash: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction Fuzzy Hash: 0B518D61E1D10297EB117726C9413BB3B94EB14740F309AABE495423E9DB3C8C839A4E

Function 00497771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,?,00000000,00000000), ref: 004978DD

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,00000000,?,00000000,00000000), ref: 0049783B

Strings

<sM, xrefs: 004977C8

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sM
API String ID: 3544283678-3729773310
Opcode ID: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction ID: c92a08bf669e093a4a5771680f773d93d8dc16ad8186d56231a0307501107d1c
Opcode Fuzzy Hash: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction Fuzzy Hash: A2615D72924118AACF04FBA5CC91DFEB774FF14704B54412BE542A3191EF38AA85CBA9

Function 0042E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0042E1B1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 49aebef3dcc2cd57a60b8b02a18426e1ef4311093efaf2207705df9fb1dd40ec
Instruction ID: d1494864bbdaf89f30e31f60b50c8359592faf2ee6d2f9fca1b07af47b4668a6
Opcode Fuzzy Hash: 49aebef3dcc2cd57a60b8b02a18426e1ef4311093efaf2207705df9fb1dd40ec
Instruction Fuzzy Hash: BC511339600256DFDB14DF2AD0816FA7BA4EF15310F64405BE8929B390E6389D43CBAA

Function 0042F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0042F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0042F2BB

Strings

@, xrefs: 0042F2AF

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction ID: 5de2cd8dd683cedd83241b537659f01411918906c5e7ea9c5befa9025096f3bb
Opcode Fuzzy Hash: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction Fuzzy Hash: A95146714087449BD320AF11DC86BAFBBF8FF85304F81885EF1D9421A5EB348569CB6A

Function 00495745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004957E0
_wcslen.LIBCMT ref: 004957EC

Strings

CALLARGARRAY, xrefs: 004957E6, 004957EB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c439e19d234ab86891cfd1eb45a8405e5bd45a0b99f2506c10ac96a9aaa29ff0
Instruction ID: fecf3f0de0c00c7a87670555f7d7806ca9bdb838620be0d1e54a475a5b7f74bc
Opcode Fuzzy Hash: c439e19d234ab86891cfd1eb45a8405e5bd45a0b99f2506c10ac96a9aaa29ff0
Instruction Fuzzy Hash: 5A41B131A001059FCF04EFAAC8818EEBBB5EF59324F20806EE505A7351D7389D81CB98

Function 0048D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0048D13A

Strings

|, xrefs: 0048D10B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction ID: 4ec16e2f8a02741809843c60be763da7acbd863f6feddf6464bfc120ed63ca6c
Opcode Fuzzy Hash: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction Fuzzy Hash: 7C315D71D01209ABCF15EFA5CC85AEF7FB9FF08304F00001AF815A6261DB39AA56CB58

Function 004A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004A365C

Strings

static, xrefs: 004A35BC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction ID: 8937a241c43aba85c805cb7b0db8d41b42f9b532453bcbb288420416fe032ca8
Opcode Fuzzy Hash: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction Fuzzy Hash: 7D319071500204AEDB20DF68DC80EFB73A9FF59724F10861EF8A597290DA39ED81D768

Function 004A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A4634

Strings

', xrefs: 004A458E

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction ID: 278866432a75f6133ca306e8ddf808b26519ac4dd7dbd476b3541e700e7534b6
Opcode Fuzzy Hash: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction Fuzzy Hash: 39311B74E01209AFDB14CF69C990BDE7BB5FF9A300F14406AEA059B391D7B4A941CF94

Function 004A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A3287

Strings

Combobox, xrefs: 004A3249

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction ID: 54686100568eec7a8c935302bead1e7db38eb0012482e362aaae7e6dfa3c28c5
Opcode Fuzzy Hash: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction Fuzzy Hash: EF1193722002086FEF119E94DC81FAB3B5AEB663A5F10416AF9149B290E6399D518764

Function 004A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

GetWindowRect.USER32(00000000,?), ref: 004A377A
GetSysColor.USER32(00000012), ref: 004A3794

Strings

static, xrefs: 004A3757

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction ID: bdd8f7fc03df8967f961e44d2b56473a3d04c898315fbc28adba98d6e1c52ab1
Opcode Fuzzy Hash: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction Fuzzy Hash: D3116AB6610209AFDF00DFA8CC45EFA7BF8FB19304F004529F955E2250E739E8519B64

Function 0048CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0048CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0048CDA6

Strings

<local>, xrefs: 0048CD66

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction ID: 19456566e32879ac0b5af74dc50621a8bdbcddc167b6e4dcd556ac2dc9d8c7df
Opcode Fuzzy Hash: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction Fuzzy Hash: 7A11E3712416327AD7246B668CC4EEBBEE8EB127A4F004637B10983180D7789841D7F4

Function 004A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004A34BA

Strings

edit, xrefs: 004A348F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction ID: a6e0907f39db4a5a7b6c3bb6136229ef838c7ab2d80f2b8e05752251d133655b
Opcode Fuzzy Hash: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction Fuzzy Hash: 9611C471100104AFEB118E64DC80EFB3B69EF2A379F504325F960972D0D739DC519B58

Function 00476C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

CharUpperBuffW.USER32(?,?,?), ref: 00476CB6
_wcslen.LIBCMT ref: 00476CC2

Strings

STOP, xrefs: 00476CBC, 00476CC1

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction ID: fe879a97793a3b7b280228da589abbb9b2d4c344b4264b584bd2dda403f9af9e
Opcode Fuzzy Hash: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction Fuzzy Hash: 660148326109268ACB219FBDDC809FF33A6EA60314702492AE85692280EB39D940C648

Function 00471CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00471D4C

Strings

ListBox, xrefs: 00471D16
ComboBox, xrefs: 00471CEB

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction ID: 914823559c697b7bf5af6e385ce19973813a0a27070786d89d12d907195b4341
Opcode Fuzzy Hash: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction Fuzzy Hash: E2012831600214ABCB24EFA8CC61DFF7368EB02394B10451FF866573D1EE3869088AA8

Function 00471BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00471C46

Strings

ListBox, xrefs: 00471C10
ComboBox, xrefs: 00471BE5

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction ID: 11eca5a5cf8bca3fd7a44a9eab4ff858f99e890d3ed6015f3b0095c26d1f9fdd
Opcode Fuzzy Hash: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction Fuzzy Hash: 5A01FC717801046ECB15EBD4C962AFF77A89B11380F20001FE90B772D1EE289E08D6BD

Function 00471C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00471CC8

Strings

ListBox, xrefs: 00471C94
ComboBox, xrefs: 00471C69

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction ID: 2ac1804088f680de8ca56071237e32e4dc760bc0a5e2c22bd6785422de5ffd33
Opcode Fuzzy Hash: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction Fuzzy Hash: ED01DB717801146BCB15EBD5CA12AFF77A89B11384F14401BB84673391EA289F08D6BD

Function 0042A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042A529

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Strings

3yF, xrefs: 0042A545, 0042A54D, 0042A552
,%N, xrefs: 0042A509

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%N$3yF
API String ID: 2551934079-1307360129
Opcode ID: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction ID: 418cc78926548de2aaadc308080e2dde2569313f4241651e4a3aa4fbcfa0507b
Opcode Fuzzy Hash: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction Fuzzy Hash: 8B014C3270012067C500F769F967A9E73649B09715F90006FFD025B2C3DE9CAD818A8F

Function 00471D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00471DD3

Strings

ListBox, xrefs: 00471DA0
ComboBox, xrefs: 00471D75

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction ID: 2df90902ee7775ed1b6f2547434549fadf35ecf2c0f6341087b614a88b0ce741
Opcode Fuzzy Hash: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction Fuzzy Hash: 09F0FE71B5021466C714F7A5CC62BFF7768AB01344F04091BF866632D1DE786D08866C

Function 004A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004E3018,004E305C), ref: 004A81BF
CloseHandle.KERNEL32 ref: 004A81D1

Strings

\0N, xrefs: 004A818A

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0N
API String ID: 3712363035-3569702050
Opcode ID: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction ID: ac006691daa3690efdf5ddb45997eb7ada6350a0a05ec75d14e756c896bc5d97
Opcode Fuzzy Hash: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction Fuzzy Hash: 3DF054B1640340BAE6616F616C89FB73A5CDB05756F004475BF08DA1A3D6798E0083BC

Function 0049747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00497493
_wcslen.LIBCMT ref: 004974B9

Strings

3, 3, 16, 1, xrefs: 00497483

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction ID: 90c704d3f70c523181b90308de5ed625ea18abe4a02a594f8ea51ce15fdf8812
Opcode Fuzzy Hash: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction Fuzzy Hash: 1EE02B42224220149731127B9CC1BBF5F89CFCD7A0B14283FF985C2367EA9C9D9193A8

Function 00470B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00470B23

Strings

Error allocating memory., xrefs: 00470B1C
AutoIt, xrefs: 00470B17

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1b92fcc235e49e22df80f057f0a5a2a2ae32d868758f160a935454db7edad014
Instruction ID: a42289d3ac2214fb02ac44b21cf6d6b90d49e3f233e2d72406c7fd7d07a05a55
Opcode Fuzzy Hash: 1b92fcc235e49e22df80f057f0a5a2a2ae32d868758f160a935454db7edad014
Instruction Fuzzy Hash: A9E0D83134431826D21037957C43FCA7A848F06B24F60447FF758555C38FE9649046ED

Function 00430D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00430D71,?,?,?,0041100A), ref: 0042F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0041100A), ref: 00430D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0041100A), ref: 00430D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00430D7F

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction ID: fed07d5464822113cbf13297c14df28a0f1cf339b4b02f850a8d5e0c6761e53d
Opcode Fuzzy Hash: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction Fuzzy Hash: 7FE06D702003518BD3709FB9E4543867BE0AF19744F008A7EE486C6651DBB8E4888B99

Function 0042E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042E3D5

Strings

0%N, xrefs: 0042E3B5
8%N, xrefs: 0042E3CA

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%N$8%N
API String ID: 1385522511-4178720944
Opcode ID: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction ID: fe2658506b5da9ddbca61f73aa50c2cbb097b142b5be2b8b4e8245d42afc07b8
Opcode Fuzzy Hash: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction Fuzzy Hash: 50E02031500A74DBC604D71BB7A4AAF3359AB09325BD012BFE401CB2D6DBFC5841874D

Function 00483017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0048302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00483044

Strings

aut, xrefs: 00483038

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction ID: acc32a86bd11759125ece02d5ff1fd36f6b75eef3aca50bf20289742e6806fbc
Opcode Fuzzy Hash: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction Fuzzy Hash: 0FD05E7290032867DA60A7A4AD4EFCB3F6CDB06750F0002A2B696E2191DAB49984CAD4

Function 0046D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046D220

Strings

X64, xrefs: 0046D2A8
%.3d, xrefs: 0046D22B

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction ID: b52bc46e5dbfe121733fdbbb5c8bc0e645825aa0327b4366d18fcb6b8ed470db
Opcode Fuzzy Hash: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction Fuzzy Hash: 1FD012A1E08118E9CB9096D0DC559B9B77CAB09301FA084A3F80691040F72CD50AA76B

Function 004A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A236C
PostMessageW.USER32(00000000), ref: 004A2373

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2365

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction ID: ac2c67cecc9d447b77a96a90aaa07736c04624373e17cb5b240df6172f4988f3
Opcode Fuzzy Hash: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction Fuzzy Hash: 7BD0C972781310BAE6A4A7719C4FFC66A189B16B14F114A277755AA1D0C9A4A8018A5C

Function 004A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004A233F

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2325

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction ID: fbc913306e8adad24e6f473218d0bebb824e358e1fcdcdf04cf82b47add152f2
Opcode Fuzzy Hash: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction Fuzzy Hash: 02D02272380310B7E6A4B731DC4FFC67E089B01B00F004A277309AA1D0C8F4A800CA0C

Function 0044BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0044BE93
GetLastError.KERNEL32 ref: 0044BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044BEFC

Memory Dump Source

Source File: 00000000.00000002.2208170527.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2208120190.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208514005.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209597356.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210351531.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a84eb85021e8eb5e9d6ef0a14d8cf467337e9c20b204cceea047fb96caf03d36
Instruction ID: 1947c439c0b93cd07f071c629bc83deeccab36d190e152f0ca2929ce10f0a4f5
Opcode Fuzzy Hash: a84eb85021e8eb5e9d6ef0a14d8cf467337e9c20b204cceea047fb96caf03d36
Instruction Fuzzy Hash: F441F634600206AFEF218F65CC44ABBBBA4EF46310F24816BF95D972A1DB35CC05DB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.120 52.222.236.120
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2235737120.0000023A9D180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2358471170.0000023A9F59A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358152408.0000023A9F5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363536990.0000023A9F5DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2357935185.0000023A9F6A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386307136.0000023A9F6A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2233981437.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233435682.0000023AA3CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296804228.0000023AA3780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2296804228.0000023AA3780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2233981437.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233435682.0000023AA3CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296804228.0000023AA3780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2358471170.0000023A9F59A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389004910.0000023A9CD98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358152408.0000023A9F5DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2357935185.0000023A9F6A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386307136.0000023A9F6A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2233981437.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233435682.0000023AA3CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296804228.0000023AA3780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2233981437.0000023AA3A75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233435682.0000023AA3CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296804228.0000023AA3780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2374528783.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382188586.0000023A9DC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3413209377.000002526F403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2297849589.0000023AA354D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2358471170.0000023A9F59A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389004910.0000023A9CD98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2406983214.0000023AA7837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2357935185.0000023A9F6A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386307136.0000023A9F6A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2406983214.0000023AA7837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2354203161.0000023AA3C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 35%			Perma Link
Source: file.exe	ReversingLabs: Detection: 36%

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.120:443 -> 192.168.2.5:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50026 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b150bc98-a738-458b-b244-0861ebdfb702.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b150bc98-a738-458b-b244-0861ebdfb702.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre