Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1533034
MD5:	3c619512d7906fbde57e4c27bc8358b3
SHA1:	bb416a8a83727bc1e1b8ef3137587c95767d34c8
SHA256:	14f2929a732740fd351f55f501173d46292108b4c13da210e1a85a41edb51f0a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3C619512D7906FBDE57E4C27BC8358B3)

taskkill.exe (PID: 7560 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7668 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7732 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7788 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7916 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 8000 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8036 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8056 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5544 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28238265-48d9-4b34-a6ae-a49d069ab035} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2802996f310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7980 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4268 -parentBuildID 20230927232528 -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba5aafc-c52d-4af8-a559-38051b48bb48} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2803bb64410 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaafa656-6b12-4778-a2b0-cfba142bdc4a} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 28029972f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7480	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 1_2_0018EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0018EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0018ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0018ED6A

Source: C:\Users\user\Desktop\file.exe

1_2_0018EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0017AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_0017AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_001A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2292f53b-2
Source: file.exe, 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a3d6e18b-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e0e72761-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3edd1553-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963C82E37 NtQuerySystemInformation,		20_2_000002B963C82E37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963CA9672 NtQuerySystemInformation,		20_2_000002B963CA9672

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0017D5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_0017D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00171201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00171201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0017E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0017E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00182046	1_2_00182046
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00118060	1_2_00118060
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00178298	1_2_00178298
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0014E4FF	1_2_0014E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0014676B	1_2_0014676B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001A4873	1_2_001A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0013CAA0	1_2_0013CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0011CAF0	1_2_0011CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0012CC39	1_2_0012CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00146DD9	1_2_00146DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0012B119	1_2_0012B119
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001191C0	1_2_001191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00131394	1_2_00131394
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00131706	1_2_00131706
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0013781B	1_2_0013781B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00117920	1_2_00117920
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0012997D	1_2_0012997D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001319B0	1_2_001319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00137A4A	1_2_00137A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00131C77	1_2_00131C77
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00137CA7	1_2_00137CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0019BE44	1_2_0019BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00149EEE	1_2_00149EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00131F32	1_2_00131F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_3_000000A093779E99	16_3_000000A093779E99
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_3_000000A09377B0E9	16_3_000000A09377B0E9
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963C82E37	20_2_000002B963C82E37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963CA9672	20_2_000002B963CA9672
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963CA9D9C	20_2_000002B963CA9D9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 20_2_000002B963CA96B2	20_2_000002B963CA96B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0012F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00130A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001837B5 GetLastError,FormatMessageW,

1_2_001837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001710BF AdjustTokenPrivileges,CloseHandle,		1_2_001710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_001716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_001851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0017D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0017D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0018648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0018648E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_001142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000010.00000003.2142277893.0000028036990000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28238265-48d9-4b34-a6ae-a49d069ab035} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2802996f310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4268 -parentBuildID 20230927232528 -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba5aafc-c52d-4af8-a559-38051b48bb48} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2803bb64410 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaafa656-6b12-4778-a2b0-cfba142bdc4a} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 28029972f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28238265-48d9-4b34-a6ae-a49d069ab035} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2802996f310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4268 -parentBuildID 20230927232528 -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba5aafc-c52d-4af8-a559-38051b48bb48} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2803bb64410 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaafa656-6b12-4778-a2b0-cfba142bdc4a} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 28029972f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 00000010.00000003.2133688217.000002803BC70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2149845816.000002803BC89000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 00000010.00000003.2134277813.000002803B7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 00000010.00000003.2159730383.000002803B93E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 00000010.00000003.2150981838.000002803ABD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 00000010.00000003.2133688217.000002803BC5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2133688217.000002803BC70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2149845816.000002803BC89000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 00000010.00000003.2159730383.000002803B93E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernelbase.pdb source: firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 00000010.00000003.2150365892.000002803AF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2137049996.000002803AF39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdbchrome://browser/skin/window.svg source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 00000010.00000003.2134277813.000002803B7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8bcryptprimitives.pdb source: firefox.exe, 00000010.00000003.2154563356.0000028039269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154563356.0000028039274000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 00000010.00000003.2159730383.000002803B93E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb@ source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ExplorerFrame.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000010.00000003.2136822788.000002803AF6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2150365892.000002803AF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2137049996.000002803AF39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb0 source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cryptbase.pdb source: firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 00000010.00000003.2133688217.000002803BC5C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 00000010.00000003.2159730383.000002803B93E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernel32.pdb source: firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ucrtbase.pdb source: firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb@ source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8rasadhlp.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8taskschd.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 00000010.00000003.2154563356.0000028039274000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbcontentLONGVARCHAR source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8fwpuclnt.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 00000010.00000003.2133688217.000002803BC5C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 00000010.00000003.2133688217.000002803BC5C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2134277813.000002803B719000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8advapi32.pdb source: firefox.exe, 00000010.00000003.2154563356.0000028039269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Storage.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gdi32full.pdb source: firefox.exe, 00000010.00000003.2154563356.0000028039274000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 00000010.00000003.2134470408.000002803B680000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 00000010.00000003.2134277813.000002803B7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 00000010.00000003.2137162706.000002803AF11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 00000010.00000003.2134277813.000002803B7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2134277813.000002803B719000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 00000010.00000003.2136584894.000002803AF7A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 00000010.00000003.2134277813.000002803B7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8linkinfo.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 00000010.00000003.2137703740.000002803ACE9000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001142DE

Source: gmpopenh264.dll.tmp.16.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00130A76 push ecx; ret

1_2_00130A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0012F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0012F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_001A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-98012

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 20_2_000002B963C82E37 rdtsc

20_2_000002B963C82E37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0017DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0017DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001868EE FindFirstFileW,FindClose,	1_2_001868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0018698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0018698F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0017D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0017D076
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0017D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0017D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00189642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00189642
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0018979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0018979D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00189B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00189B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00185C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00185C97

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001142DE

Source: firefox.exe, 00000014.00000002.3081381637.000002B964270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV]
Source: firefox.exe, 00000014.00000002.3081381637.000002B964270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$Q5y
Source: firefox.exe, 00000012.00000002.3082641948.0000026013A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[cIN
Source: firefox.exe, 00000014.00000002.3081381637.000002B964270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls_
Source: firefox.exe, 00000012.00000002.3076924834.000002601355A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`5
Source: firefox.exe, 00000012.00000002.3082641948.0000026013A00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3081381637.000002B964270000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3075199895.000002B96392A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3076281730.000001DF80FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.3082000829.0000026013919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000015.00000002.3080400755.000001DF81376000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: firefox.exe, 00000012.00000002.3082641948.0000026013A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 20_2_000002B963C82E37 rdtsc

20_2_000002B963C82E37

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0018EAA2 BlockInput,

1_2_0018EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00142622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00142622

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00134CE8 mov eax, dword ptr fs:[00000030h]

1_2_00134CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00170B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00170B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00142622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00142622
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0013083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0013083F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001309D5 SetUnhandledExceptionFilter,	1_2_001309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00130C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00130C21

Source: C:\Users\user\Desktop\file.exe

1_2_00171201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00152BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00152BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0017B226 SendInput,keybd_event,

1_2_0017B226

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_001922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

1_2_00170B62

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00171663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00171663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00130698 cpuid

1_2_00130698

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00188195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_00188195

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0016D27A GetUserNameW,

1_2_0016D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0014BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0014BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00191204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_00191204
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00191806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00191806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://profiler.firefox.com/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://json-schema.org/draft/2019-09/schema.	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.48	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.174	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.186.46	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.1.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000003.2123661082.0000028043076000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2006982661.000002803BB5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3077109993.000001DF812C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 00000010.00000003.2151866871.0000028039EAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.16.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 00000012.00000002.3078669661.00000260138E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3080730215.000001DF81503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000010.00000003.2050385396.000002804183E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2003809860.0000028041841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2004503307.0000028041848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2002447056.0000028041848000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3078669661.0000026013872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3077109993.000001DF8128F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000010.00000003.2150813583.000002803ABE5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 00000010.00000003.2152320677.0000028039E63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000010.00000003.2108239823.0000028041B0F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 00000010.00000003.2159730383.000002803B93E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000010.00000003.1944917566.000002803953C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946217506.0000028039577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944748187.000002803951F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944591160.0000028039300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1945082996.000002803955A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000010.00000003.2007876834.0000028039FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2007876834.0000028039FA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2139089429.0000028039FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2139089429.0000028039FA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000010.00000003.2136223540.000002803AF94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000010.00000003.2145410532.0000028041712000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000010.00000003.2007876834.0000028039F67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000010.00000003.2145741243.000002803D0D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2047798153.000002803B1B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944917566.000002803953C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2018392765.000002803B1B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2123726048.0000028041B70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946217506.0000028039577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944748187.000002803951F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2107087045.0000028041B70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944591160.0000028039300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1945082996.000002803955A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2129455857.000002803D0D7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://profiler.firefox.com/	firefox.exe, 00000010.00000003.2141752509.0000028036E91000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://mozilla.org/0	firefox.exe, 00000010.00000003.2093933036.00002302CA503000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000010.00000003.1944917566.000002803953C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946217506.0000028039577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944748187.000002803951F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1944591160.0000028039300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1945082996.000002803955A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 00000010.00000003.2129455857.000002803D0D7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000010.00000003.2138550397.000002803AC0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000010.00000003.2150813583.000002803ABE5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 00000012.00000002.3078669661.00000260138E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3080730215.000001DF81503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000010.00000003.2119946653.0000028044EB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 00000010.00000003.2125213477.0000028041909000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2152405841.0000028039DB1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 00000010.00000003.2143276566.0000028036948000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000010.00000003.2134277813.000002803B719000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 00000012.00000002.3078669661.00000260138E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3080730215.000001DF81503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 00000010.00000003.2007876834.0000028039F67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2159084814.000002803CD66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2152405841.0000028039DB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3077109993.000001DF8120C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 00000010.00000003.2107087045.0000028041B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2123726048.0000028041B6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 00000010.00000003.2152320677.0000028039E63000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000010.00000003.2140537405.0000028039E90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000003.2125006980.000002804196A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3077109993.000001DF812C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2108926007.000002803C161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2147506528.000002803C16A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2130815341.000002803C161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000010.00000003.2100631228.0000028038D2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000010.00000003.2073831380.000002803AE1B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 00000010.00000003.2146565417.000002803C37A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2146565417.000002803C3B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.16.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 00000010.00000003.2107087045.0000028041B93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000010.00000003.2134277813.000002803B719000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000003.2108239823.0000028041B0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3077109993.000001DF81213000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 00000010.00000003.2152320677.0000028039E63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/connection-not-secure	firefox.exe, 00000010.00000003.2105920687.0000028044C91000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000010.00000003.2145410532.0000028041712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000010.00000003.2123726048.0000028041BAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2107087045.0000028041BAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 00000010.00000003.2141526831.0000028036EBB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000010.00000003.2052269462.000002803AED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2147128241.000002803C347000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2072405858.000002803AEC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2147506528.000002803C1D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2006982661.000002803BBBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2067429558.000002804371A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2123661082.0000028043076000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2029580560.0000028043727000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2030287571.0000028039CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2100631228.0000028038D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2168995768.000002803D157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2065485798.0000028043711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1958448161.00000280399DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2108926007.000002803C1B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2006982661.000002803BBDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2108449070.00000280417D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2039762531.000002803D150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2073085531.000002803AE3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2089065492.0000028038D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2073654230.000002803AE32000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 00000010.00000003.2146248014.000002803C3B6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.16.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 00000010.00000003.2106771326.00000280430D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 00000010.00000003.2007876834.0000028039F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141084808.0000028039A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000010.00000003.2007876834.0000028039F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141084808.0000028039A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000010.00000003.2123726048.0000028041BAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2107087045.0000028041BAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000010.00000003.2050385396.000002804183E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2003809860.0000028041841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2004503307.0000028041848000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000010.00000003.2152405841.0000028039DF3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000010.00000003.2007876834.0000028039F67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000010.00000003.2100631228.0000028038D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2117724399.0000028038D2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141365549.0000028036EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1950831289.0000028038D28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2096780323.0000028038D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949957264.0000028038D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2033245457.0000028038D39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 00000010.00000003.2136531653.000002803AF81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000010.00000003.2145916065.000002803CD8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2130376608.000002803CD8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000010.00000003.2097697851.000002803AAAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2095411403.0000028038D1E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000010.00000003.2100631228.0000028038D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2117724399.0000028038D2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141365549.0000028036EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1950831289.0000028038D28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2096780323.0000028038D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949957264.0000028038D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2033245457.0000028038D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000010.00000003.2140537405.0000028039E90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 00000012.00000002.3078669661.00000260138E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3080730215.000001DF81503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000010.00000003.2108239823.0000028041B0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 00000010.00000003.2152320677.0000028039E63000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000010.00000003.2154413440.0000028039281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2142929371.000002803696C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000012.00000002.3077901988.00000260136A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3076896892.000002B963C40000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3076671873.000001DF81040000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
52.222.236.48	services.addons.mozilla.org	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533034
Start date and time:	2024-10-14 11:01:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@70/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 43 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.83.8.120, 52.25.49.43, 52.26.161.5, 142.250.186.46, 2.22.61.56, 2.22.61.59, 172.217.16.206, 142.250.186.142, 142.250.185.106, 142.250.185.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 8056 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:02:42	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	34.117.39.58
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.139.251.143
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	33.20.40.34
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.244.108.32
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	34.1.241.144
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.139.251.143
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	33.20.40.34
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.244.108.32
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	34.1.241.144
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e4fbc742-bebd-480e-873e-d4404770e5be.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177836738429279
Encrypted:	false
SSDEEP:	192:nfjMXQSNcbhbVbTbfbRbObtbyEl7ngreJA6WnSrDtTUd/SkDrx:nfYtcNhnzFSJAr9BnSrDhUd/r
MD5:	949FB2DC90CD1BDC18B0E4534F11EF74
SHA1:	E82922C4483BBD709E4134DA94567957062E2E87
SHA-256:	554C8754EA32A6F21BDAD2F54AB3F58E879E1A9D1CA5BA766B17027D4BD26350
SHA-512:	CC040455045973F9ABCEF2CE1DC61DC1778AEA34D3B942A79D6EEF1A0001B2DB81980E9E6A62771367BA3FE33FBD99966939284EC426FA0196DCBAC3C6090F06
Malicious:	false
Preview:	{"type":"uninstall","id":"e4fbc742-bebd-480e-873e-d4404770e5be","creationDate":"2024-10-14T10:07:56.194Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e4fbc742-bebd-480e-873e-d4404770e5be.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177836738429279
Encrypted:	false
SSDEEP:	192:nfjMXQSNcbhbVbTbfbRbObtbyEl7ngreJA6WnSrDtTUd/SkDrx:nfYtcNhnzFSJAr9BnSrDhUd/r
MD5:	949FB2DC90CD1BDC18B0E4534F11EF74
SHA1:	E82922C4483BBD709E4134DA94567957062E2E87
SHA-256:	554C8754EA32A6F21BDAD2F54AB3F58E879E1A9D1CA5BA766B17027D4BD26350
SHA-512:	CC040455045973F9ABCEF2CE1DC61DC1778AEA34D3B942A79D6EEF1A0001B2DB81980E9E6A62771367BA3FE33FBD99966939284EC426FA0196DCBAC3C6090F06
Malicious:	false
Preview:	{"type":"uninstall","id":"e4fbc742-bebd-480e-873e-d4404770e5be","creationDate":"2024-10-14T10:07:56.194Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9278617461300005
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNq6h:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgo8P
MD5:	A021CF3E6549999DD5F7C29FCF6E2379
SHA1:	63BB7E40C7BD0FEEA735810F468CFDDEC5D87BB2
SHA-256:	49F0A1D9CD4ED0617266318282827C6999D550B21FC7287C28236A37B3C7201D
SHA-512:	B7D758F12944FA9C079BB2F6C310187BABAEF8C1904B571DB4C6DBA3C9811DAC068F8A98AAACE374C457562048D359F3913160F142ED3FEC931EE7BA39AC29A5
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9278617461300005
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNq6h:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgo8P
MD5:	A021CF3E6549999DD5F7C29FCF6E2379
SHA1:	63BB7E40C7BD0FEEA735810F468CFDDEC5D87BB2
SHA-256:	49F0A1D9CD4ED0617266318282827C6999D550B21FC7287C28236A37B3C7201D
SHA-512:	B7D758F12944FA9C079BB2F6C310187BABAEF8C1904B571DB4C6DBA3C9811DAC068F8A98AAACE374C457562048D359F3913160F142ED3FEC931EE7BA39AC29A5
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07319645182583219
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki9el:DLhesh7Owd4+ji9e
MD5:	3535028A24DD1B04BB7374D51410EFC8
SHA1:	BECFF5F2B49CBB2ABE15586810AF8E62ED0C1BD9
SHA-256:	CEC15A2E0E92B7253C5DE9E9A5D70DDAF05989A2685028EC3BE3F05D5F570AF4
SHA-512:	96138D26836C93F64D9DA23E0927D09149F579AEF073C22E22F5E23EA63DCC2665DFAC17D0DED1394EE2A80BCA3D4DAEA79FB67D6B8CC526ECC592DBF84F51D5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFlqcrEVRiS/ttlstFlqcrEVRiSU/J89//alEl:GtWtq2EVRBttWtq2EVRU89XuM
MD5:	2CBA60F655922D7EDC9007747130C958
SHA1:	0E2110F62852F0DF2672031A8366322B46240843
SHA-256:	A7AB9D362A4C0E1E913293E3C6CE7A858449F10974BFDE89308DB64AD546A402
SHA-512:	50F0F300D658DEB2A58B6B5AC5D82D26E4382FE41943123C51E0F1851D8B3338903EA79935BA462062554BE31E41953BA2309AFC9381DFE175E8B32EF8D0ADBC
Malicious:	false
Preview:	..-.....................rO....!..tDY.j.4....3...-.....................rO....!..tDY.j.4....3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04010304634033313
Encrypted:	false
SSDEEP:	3:Ol1fKvKj/l4NEpewl8rEXsxdwhml8XW3R2:KEKjtzBl8dMhm93w
MD5:	FAB78FDD43489A8808EBA0B61BE99A2C
SHA1:	4D57CAB2924E487BB32B99B59D30526B8B5C5136
SHA-256:	AD9FD38B33E271D44513E9147FEAEC3BB434AB7C690234DA028C5EC8611C75AB
SHA-512:	81D673FAF028486B971A3196DC2DE5E882CE085D6F4E4D1B5EEFF8E0E0723FDD00C65F48DCBB0F94547F2275001721D1753C8971ABEC9FC6D7A0DB604CAB0990
Malicious:	false
Preview:	7....-..........!..tDY.jJv.4m./.........!..tDY.j.Or...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4952073842037255
Encrypted:	false
SSDEEP:	192:KnaRtLYbBp62hj4qyaaXk6KUfNg75RfGNBw8dgSl:Pesqc7V+cwb0
MD5:	7EC39E7090C9F4DB17F4A80360C7E39E
SHA1:	062614DB8C032D3210445757BF6C44A9AE4944A5
SHA-256:	BE5A45E2DEBBF837D109602D76143077A94E3F3715091ACF412613B8527DFEFF
SHA-512:	6828126DC579028C3CE06955491172F4BB831E698107EEC19C8E5926089649EC71C2DD59255FC5ED3183503F7F8E1AC9D39B6723036F9D2321E85B84BE36FFD2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728900446);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728900446);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728900446);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172890

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4952073842037255
Encrypted:	false
SSDEEP:	192:KnaRtLYbBp62hj4qyaaXk6KUfNg75RfGNBw8dgSl:Pesqc7V+cwb0
MD5:	7EC39E7090C9F4DB17F4A80360C7E39E
SHA1:	062614DB8C032D3210445757BF6C44A9AE4944A5
SHA-256:	BE5A45E2DEBBF837D109602D76143077A94E3F3715091ACF412613B8527DFEFF
SHA-512:	6828126DC579028C3CE06955491172F4BB831E698107EEC19C8E5926089649EC71C2DD59255FC5ED3183503F7F8E1AC9D39B6723036F9D2321E85B84BE36FFD2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728900446);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728900446);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728900446);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172890

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.335895835181894
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgq/pnxQwRlszT5sKt273eHVQj6TnamhujJSOsIomNVr0aDgX:GUpOx1KnR623eHTn4JSIquR4
MD5:	A5D898A2733DDA6922D121045FBFEC5F
SHA1:	194FFD1B11CF3CF9B3377186676113B529979A2C
SHA-256:	AC8396A7AEE3528D92A04671975C7BB47C59A157EDC2A1C09BF2FFE0027840FE
SHA-512:	3BB7F478797C1D7A654B3219533D70D5ABF5A5E99C54F87E4CC625AF768750EC446E5E6B8C66C82A3A94C24CA25F6BDD642E17EE4FFBECE902E058CFEBD3EA1B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5a89181-d431-49ac-9bea-e3b822cc1e82}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728900454038,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P15869...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...24715,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.335895835181894
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgq/pnxQwRlszT5sKt273eHVQj6TnamhujJSOsIomNVr0aDgX:GUpOx1KnR623eHTn4JSIquR4
MD5:	A5D898A2733DDA6922D121045FBFEC5F
SHA1:	194FFD1B11CF3CF9B3377186676113B529979A2C
SHA-256:	AC8396A7AEE3528D92A04671975C7BB47C59A157EDC2A1C09BF2FFE0027840FE
SHA-512:	3BB7F478797C1D7A654B3219533D70D5ABF5A5E99C54F87E4CC625AF768750EC446E5E6B8C66C82A3A94C24CA25F6BDD642E17EE4FFBECE902E058CFEBD3EA1B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5a89181-d431-49ac-9bea-e3b822cc1e82}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728900454038,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P15869...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...24715,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.335895835181894
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgq/pnxQwRlszT5sKt273eHVQj6TnamhujJSOsIomNVr0aDgX:GUpOx1KnR623eHTn4JSIquR4
MD5:	A5D898A2733DDA6922D121045FBFEC5F
SHA1:	194FFD1B11CF3CF9B3377186676113B529979A2C
SHA-256:	AC8396A7AEE3528D92A04671975C7BB47C59A157EDC2A1C09BF2FFE0027840FE
SHA-512:	3BB7F478797C1D7A654B3219533D70D5ABF5A5E99C54F87E4CC625AF768750EC446E5E6B8C66C82A3A94C24CA25F6BDD642E17EE4FFBECE902E058CFEBD3EA1B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5a89181-d431-49ac-9bea-e3b822cc1e82}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728900454038,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P15869...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...24715,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033463358652738
Encrypted:	false
SSDEEP:	48:YrSAYf6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycfyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E48D3A4EDB633A729E9BA960283999F7
SHA1:	4076C11A5B00B2F50904D3D562E74B96740B45D9
SHA-256:	ED85A8F3F329A36DF11CCA2EA939B5C89F87E9053032CB296029F9AFF4C8548D
SHA-512:	A95A636B5411FD359A379DB48603D5692920080CBA6663224BC72363A7D324F7BCA7989070FF3127A2A9907D63FF66C89A5899A9212E9620AE0DE6121D056B4A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T10:07:17.172Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033463358652738
Encrypted:	false
SSDEEP:	48:YrSAYf6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycfyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E48D3A4EDB633A729E9BA960283999F7
SHA1:	4076C11A5B00B2F50904D3D562E74B96740B45D9
SHA-256:	ED85A8F3F329A36DF11CCA2EA939B5C89F87E9053032CB296029F9AFF4C8548D
SHA-512:	A95A636B5411FD359A379DB48603D5692920080CBA6663224BC72363A7D324F7BCA7989070FF3127A2A9907D63FF66C89A5899A9212E9620AE0DE6121D056B4A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T10:07:17.172Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584669720452534
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	3c619512d7906fbde57e4c27bc8358b3
SHA1:	bb416a8a83727bc1e1b8ef3137587c95767d34c8
SHA256:	14f2929a732740fd351f55f501173d46292108b4c13da210e1a85a41edb51f0a
SHA512:	491ae2bc4707e8880e5a181b7ce0dd56ee2a83cf8f919dd6bc716ec1c15395692c6fa9e0523faa35ebdda420a076b943523928969d1d72d71691c4e2c479085e
SSDEEP:	12288:pqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tc:pqDEvCTbMWu7rQYlBQcBiT6rprG8abc
TLSH:	AA159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670CDAB1 [Mon Oct 14 08:47:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F09E86BE9E3h
jmp 00007F09E86BE2EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F09E86BE4CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F09E86BE49Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F09E86C108Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F09E86C10D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F09E86C10C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	3e48784ecd79285ad651dd409924a821	False	0.31561511075949367	data	5.373421907962467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:02:30.169259071 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.169353008 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:30.174614906 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.185422897 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.185461998 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:30.677694082 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:30.678931952 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.741848946 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.741920948 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:30.741966963 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:30.742510080 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:30.744627953 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:33.704579115 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:33.704658985 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:33.705183983 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:33.706584930 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:33.706620932 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.357511044 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.357671976 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.358506918 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.358580112 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.361685991 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.361715078 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.361779928 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.362009048 CEST	443	54852	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.362072945 CEST	54852	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.382853985 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:34.387798071 CEST	80	54853	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:34.390769005 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:34.390969038 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:34.393878937 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.393974066 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.395801067 CEST	80	54853	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:34.401695967 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.404757977 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:34.404799938 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:34.788805962 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:34.788846970 CEST	443	54856	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:34.789139032 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:34.790509939 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:34.790529013 CEST	443	54856	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:34.887026072 CEST	80	54853	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:34.934442997 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.071002960 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.071021080 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.071094036 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.072051048 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.072113037 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.093395948 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.093437910 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.093527079 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.093944073 CEST	443	54854	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.093945980 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.094033003 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.103466034 CEST	54854	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.103743076 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.105518103 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.105561972 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.210983992 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.211040020 CEST	443	54858	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.211118937 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.213018894 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.213047981 CEST	443	54858	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.247133017 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.247220039 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.247757912 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.247891903 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.247927904 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.254077911 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.258893967 CEST	80	54860	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:35.260700941 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.260778904 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.265700102 CEST	80	54860	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:35.299897909 CEST	443	54856	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.300021887 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.305366993 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.305381060 CEST	443	54856	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.305542946 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.305651903 CEST	443	54856	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.306072950 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.306113005 CEST	443	54861	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.306301117 CEST	54856	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.306344986 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.307718992 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.307739019 CEST	443	54861	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.357748985 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.357808113 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.358856916 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.359131098 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.359165907 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.705955982 CEST	443	54858	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.706136942 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.711554050 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.711584091 CEST	443	54858	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.711678982 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.711879969 CEST	443	54858	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.712061882 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.712102890 CEST	443	54863	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.715204954 CEST	54858	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.715261936 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.717252970 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.717266083 CEST	443	54863	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.719572067 CEST	80	54860	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:35.745649099 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.750947952 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.752410889 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.752444029 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.754901886 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.755462885 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.755484104 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.755846024 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.757698059 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.757728100 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.761274099 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.761377096 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.761450052 CEST	443	54859	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:35.763194084 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.763223886 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.763295889 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.763679981 CEST	54859	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:35.763793945 CEST	443	54857	142.250.186.174	192.168.2.4
Oct 14, 2024 11:02:35.763891935 CEST	54857	443	192.168.2.4	142.250.186.174
Oct 14, 2024 11:02:35.774678946 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.785419941 CEST	443	54861	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.785655975 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.789743900 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.789753914 CEST	443	54861	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.789805889 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.790127039 CEST	443	54861	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:35.790611982 CEST	54861	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:35.855767012 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.857186079 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.861491919 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.861519098 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.861939907 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.864084005 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.864222050 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.864279032 CEST	443	54862	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.864692926 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.864727020 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.864759922 CEST	54862	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.864846945 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.865001917 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:35.865010023 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:35.958466053 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.958482027 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.963855982 CEST	80	54853	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:35.964078903 CEST	80	54860	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:35.975224972 CEST	54853	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:35.975272894 CEST	54860	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:36.043811083 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:36.050472021 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:36.051862001 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:36.052074909 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:36.057504892 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:36.206398964 CEST	443	54863	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:36.206499100 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.211359978 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.211368084 CEST	443	54863	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:36.211390018 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.211905956 CEST	443	54863	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:36.211992025 CEST	54863	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.627954960 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.628063917 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:36.639539003 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.641747952 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:36.641798019 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:37.363185883 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:37.363239050 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:37.363286972 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:37.363790035 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:37.363790989 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:37.371189117 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:37.379410982 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:37.379456043 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.382451057 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.382507086 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:37.383229971 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:37.385809898 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.385854006 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.386185884 CEST	443	54864	34.160.144.191	192.168.2.4
Oct 14, 2024 11:02:37.394980907 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.395004034 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.395004988 CEST	54864	443	192.168.2.4	34.160.144.191
Oct 14, 2024 11:02:37.842647076 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:37.842664003 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:37.842725992 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:37.847132921 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:37.847146988 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:37.847218037 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:37.847374916 CEST	443	54866	34.117.188.166	192.168.2.4
Oct 14, 2024 11:02:37.847538948 CEST	54866	443	192.168.2.4	34.117.188.166
Oct 14, 2024 11:02:42.757622957 CEST	54868	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:42.762581110 CEST	80	54868	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:42.766042948 CEST	54868	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:42.766120911 CEST	54868	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:42.771219969 CEST	80	54868	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:42.926801920 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:42.931830883 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:43.022918940 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:43.076453924 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.224121094 CEST	54868	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.229983091 CEST	80	54868	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:43.237950087 CEST	54868	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.524673939 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.529625893 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:43.529778004 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.529983044 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:43.534812927 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:43.555409908 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:43.555448055 CEST	443	54870	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:43.555771112 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:43.557956934 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:43.557981014 CEST	443	54870	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:44.006567001 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:44.036457062 CEST	443	54870	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:44.036535025 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:44.042690992 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:44.042690992 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:44.042700052 CEST	443	54870	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:44.043060064 CEST	443	54870	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:44.043167114 CEST	54870	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:44.057051897 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:44.555526018 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:44.560489893 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:44.577146053 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:44.577213049 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:44.579097033 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:44.579291105 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:44.579313040 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:44.651591063 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:44.705661058 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.053761959 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:45.053831100 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.229257107 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.229324102 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:45.230274916 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:45.232000113 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.232081890 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.232453108 CEST	443	54871	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:45.238364935 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.238405943 CEST	54871	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:45.420330048 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.420372963 CEST	443	54872	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.421278954 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.422748089 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.422766924 CEST	443	54872	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.431174040 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.436014891 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:45.436836004 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.436858892 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.438162088 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.439600945 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.439627886 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.439735889 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.444612980 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:45.532061100 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:45.535288095 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:45.576972008 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.577004910 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.897753000 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:45.902822971 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:45.920171022 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.924264908 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.928026915 CEST	443	54872	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.928170919 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.929725885 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.929738045 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.929963112 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.929971933 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.929981947 CEST	443	54873	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:45.932900906 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.932912111 CEST	443	54872	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.933062077 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.933171034 CEST	443	54872	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.933429003 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.933505058 CEST	443	54874	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.934593916 CEST	54872	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.934645891 CEST	54873	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:45.934654951 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.936121941 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:45.936156988 CEST	443	54874	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:45.999118090 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:46.051661015 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:46.057245016 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:46.062275887 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:46.099498987 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.099574089 CEST	443	54875	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:46.105140924 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.106554031 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.106589079 CEST	443	54875	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:46.153036118 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:46.205344915 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:46.409953117 CEST	443	54874	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:46.410725117 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:46.582298994 CEST	443	54875	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:46.582379103 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.820831060 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:46.820884943 CEST	443	54874	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:46.820919991 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:46.821036100 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.821067095 CEST	443	54875	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:46.821091890 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:46.821250916 CEST	443	54874	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:46.821324110 CEST	54874	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:46.821594954 CEST	443	54875	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:46.821728945 CEST	54875	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:49.643042088 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:49.648154020 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:49.663232088 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:49.668231964 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:49.743932009 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:49.781779051 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:49.792484045 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:49.830390930 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:50.365673065 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.365717888 CEST	443	54876	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.368396044 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.369719982 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.369757891 CEST	443	54876	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.391592979 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.391629934 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.391982079 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.392117023 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.392124891 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.474087000 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.474126101 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.474191904 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.474333048 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.474351883 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.864202976 CEST	443	54876	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.864339113 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.892812967 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.893008947 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.920427084 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.920460939 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.921231985 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.924238920 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.924335957 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.924427986 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.924469948 CEST	443	54876	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.924489975 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.924673080 CEST	443	54877	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.924683094 CEST	443	54876	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.924729109 CEST	54877	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.924738884 CEST	54876	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:50.952780008 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:50.953556061 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.060137987 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.060174942 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:51.061208963 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:51.118313074 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.157648087 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.157742023 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.158186913 CEST	443	54878	34.120.208.123	192.168.2.4
Oct 14, 2024 11:02:51.158265114 CEST	54878	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:02:51.481189966 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.486195087 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.505953074 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.508647919 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.508701086 CEST	443	54879	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:51.508810043 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.509979963 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.509998083 CEST	443	54879	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:51.511136055 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.582144022 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.602308035 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.610189915 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.615216017 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.651036978 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.711422920 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:51.751270056 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.982412100 CEST	443	54879	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:51.982480049 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.986646891 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.986673117 CEST	443	54879	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:51.986725092 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.986829042 CEST	443	54879	34.107.243.93	192.168.2.4
Oct 14, 2024 11:02:51.989173889 CEST	54879	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:02:51.994302988 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:51.999275923 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:52.089926958 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:52.093364000 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:52.098475933 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:52.136786938 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:52.194231033 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:52.237078905 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:58.949783087 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:58.949865103 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:58.951292992 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:58.951445103 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:58.951467037 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:58.977601051 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:58.977641106 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:58.977951050 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:58.977957964 CEST	443	54882	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:58.980695009 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:58.980787992 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:58.980853081 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:58.980866909 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:58.982311010 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:58.982326984 CEST	443	54882	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:58.983478069 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:58.983514071 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:58.984278917 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:58.984394073 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:58.984412909 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:58.991413116 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:58.991482019 CEST	443	54884	35.201.103.21	192.168.2.4
Oct 14, 2024 11:02:58.994702101 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:58.996118069 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:58.996130943 CEST	443	54884	35.201.103.21	192.168.2.4
Oct 14, 2024 11:02:59.429894924 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.429986954 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.433465958 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.433495998 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.433842897 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.436189890 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.436295033 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.436415911 CEST	443	54880	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.436696053 CEST	54880	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.440176010 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.445112944 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.457165956 CEST	443	54882	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:59.457246065 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:59.461224079 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:59.461239100 CEST	443	54882	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:59.461376905 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:59.461411953 CEST	443	54882	35.190.72.216	192.168.2.4
Oct 14, 2024 11:02:59.461513042 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.461915970 CEST	54882	443	192.168.2.4	35.190.72.216
Oct 14, 2024 11:02:59.461956978 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.465078115 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.465085030 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.465481043 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.468035936 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.468108892 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.468230963 CEST	443	54881	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.469171047 CEST	54881	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.479657888 CEST	443	54884	35.201.103.21	192.168.2.4
Oct 14, 2024 11:02:59.479729891 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:59.484292030 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:59.484307051 CEST	443	54884	35.201.103.21	192.168.2.4
Oct 14, 2024 11:02:59.484383106 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:59.484580994 CEST	443	54884	35.201.103.21	192.168.2.4
Oct 14, 2024 11:02:59.484813929 CEST	54884	443	192.168.2.4	35.201.103.21
Oct 14, 2024 11:02:59.497020006 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.497051954 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.497153044 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.497277975 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.497284889 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.536101103 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.538903952 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.543899059 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.589236975 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.639977932 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.689516068 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.735687971 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:59.735831976 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:59.738975048 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:59.738982916 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:59.739412069 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:59.741811991 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:59.741933107 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:59.742021084 CEST	443	54883	52.222.236.48	192.168.2.4
Oct 14, 2024 11:02:59.742979050 CEST	54883	443	192.168.2.4	52.222.236.48
Oct 14, 2024 11:02:59.750232935 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.750283003 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.750494957 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.750909090 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.750926018 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.752161980 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.752247095 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.754219055 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.754260063 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.755470037 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.756580114 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.756653070 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.756711006 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.756743908 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.756818056 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:02:59.756839037 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:02:59.760421991 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.851205111 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.854219913 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.859169006 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.905735016 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.955168962 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:02:59.968957901 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.969028950 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.972121954 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.972137928 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.972460032 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.975013971 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.975109100 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.975199938 CEST	443	54886	34.149.100.209	192.168.2.4
Oct 14, 2024 11:02:59.975258112 CEST	54886	443	192.168.2.4	34.149.100.209
Oct 14, 2024 11:02:59.977731943 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:02:59.982695103 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.006012917 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.073914051 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.083321095 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.088273048 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.121922970 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.184283972 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.229012966 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.229089022 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.231957912 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.231972933 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.232291937 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.234781027 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.234874964 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.234962940 CEST	443	54889	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.235810995 CEST	54889	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.237601995 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.242487907 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.244378090 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.250199080 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.254652977 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.255424023 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.260273933 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.260298967 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.263174057 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.263190031 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.264157057 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.265407085 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.265425920 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.265705109 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.267904997 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.267977953 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.268204927 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.268259048 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.268313885 CEST	443	54887	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.268349886 CEST	443	54888	35.244.181.201	192.168.2.4
Oct 14, 2024 11:03:00.275386095 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.275413036 CEST	54887	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.275429010 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.275429010 CEST	54888	443	192.168.2.4	35.244.181.201
Oct 14, 2024 11:03:00.333292007 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.336194992 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.341511011 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.375912905 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:00.437414885 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:00.491822958 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:02.271442890 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.271542072 CEST	443	54906	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:02.271873951 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.273329020 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.273367882 CEST	443	54906	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:02.756784916 CEST	443	54906	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:02.756984949 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.761017084 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.761046886 CEST	443	54906	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:02.761115074 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.761255980 CEST	443	54906	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:02.761333942 CEST	54906	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:02.763921976 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:02.768889904 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:02.860066891 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:02.863531113 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:02.868473053 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:02.914325953 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:02.964478970 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:03.014596939 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:12.880718946 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:12.885700941 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:12.981040001 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:12.985935926 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:22.887676001 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:22.892574072 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:22.987962008 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:22.992799997 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:23.488711119 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.488746881 CEST	443	55040	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:23.488975048 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.490524054 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.490542889 CEST	443	55040	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:23.994606018 CEST	443	55040	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:23.994812012 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.999339104 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.999352932 CEST	443	55040	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:23.999438047 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:23.999782085 CEST	443	55040	34.107.243.93	192.168.2.4
Oct 14, 2024 11:03:24.000633955 CEST	55040	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:03:24.002691031 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:24.007862091 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:24.098562956 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:24.101795912 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:24.106622934 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:24.144717932 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:24.202867031 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:24.244878054 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:28.676268101 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:28.679322958 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.679419041 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.681246042 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.681246042 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:28.681269884 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.681391001 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.681476116 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.681583881 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.681595087 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.681742907 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.681751966 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.684696913 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.684716940 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.685256004 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.685437918 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:28.685446978 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:28.772269964 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:28.775538921 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:28.781407118 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:28.825557947 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:28.876722097 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:28.925858021 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:29.155656099 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.159240961 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.162411928 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.162425041 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.162750006 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.163911104 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.164182901 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.167077065 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.167085886 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.167089939 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.167876005 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.171314955 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.171433926 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.171531916 CEST	443	55073	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.175403118 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.184370995 CEST	55073	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.184402943 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.191679001 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.191684961 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.192028046 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.194511890 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.194621086 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.194911003 CEST	443	55072	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.195545912 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.195616961 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.195751905 CEST	443	55074	34.120.208.123	192.168.2.4
Oct 14, 2024 11:03:29.198118925 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.198142052 CEST	55072	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.198153973 CEST	55074	443	192.168.2.4	34.120.208.123
Oct 14, 2024 11:03:29.242008924 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:29.247010946 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:29.337590933 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:29.340286970 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:29.345124960 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:29.382528067 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:29.441066027 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:29.483406067 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:39.345844030 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:39.350826979 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:39.446837902 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:39.451726913 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:49.353287935 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:49.358244896 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:49.453584909 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:49.458441973 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:59.360043049 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:59.365199089 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:03:59.460508108 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:03:59.465523958 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:04.511588097 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:04.511651993 CEST	443	55162	34.107.243.93	192.168.2.4
Oct 14, 2024 11:04:04.511837959 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:04.514081001 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:04.514132977 CEST	443	55162	34.107.243.93	192.168.2.4
Oct 14, 2024 11:04:05.008060932 CEST	443	55162	34.107.243.93	192.168.2.4
Oct 14, 2024 11:04:05.008234978 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:05.014282942 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:05.014312029 CEST	443	55162	34.107.243.93	192.168.2.4
Oct 14, 2024 11:04:05.014507055 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:05.014671087 CEST	443	55162	34.107.243.93	192.168.2.4
Oct 14, 2024 11:04:05.014929056 CEST	55162	443	192.168.2.4	34.107.243.93
Oct 14, 2024 11:04:05.017800093 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:05.022891045 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:05.113975048 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:05.122097015 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:05.127614975 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:05.161545992 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:05.224545002 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:05.277542114 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:15.131555080 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:15.136781931 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:15.231770992 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:15.236759901 CEST	80	54869	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:25.143745899 CEST	54865	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:25.148956060 CEST	80	54865	34.107.221.82	192.168.2.4
Oct 14, 2024 11:04:25.244029999 CEST	54869	80	192.168.2.4	34.107.221.82
Oct 14, 2024 11:04:25.248965025 CEST	80	54869	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:02:30.170020103 CEST	59715	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:30.180692911 CEST	53	59715	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:30.189754963 CEST	61754	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:30.197597980 CEST	53	61754	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:32.924598932 CEST	53	53489	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:33.682068110 CEST	54154	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.682352066 CEST	55709	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.689521074 CEST	53	55709	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:33.701639891 CEST	63897	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.704663038 CEST	60285	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.708832026 CEST	53	63897	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:33.709968090 CEST	53220	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.711703062 CEST	53	60285	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:33.714962959 CEST	59013	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:33.718251944 CEST	53	53220	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:33.722251892 CEST	53	59013	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:34.780591011 CEST	63456	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:34.787580013 CEST	53	63456	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:34.788820028 CEST	62709	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:34.795871973 CEST	53	62709	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:34.804629087 CEST	54645	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:34.813786983 CEST	53	54645	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.202682972 CEST	53291	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.203958988 CEST	57108	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.210064888 CEST	53	53291	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.211474895 CEST	53	57108	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.212418079 CEST	57894	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.213951111 CEST	61405	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.219692945 CEST	53	57894	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.220702887 CEST	53	61405	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.243581057 CEST	62466	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.246448040 CEST	61198	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.253611088 CEST	53	61198	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.253927946 CEST	61469	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.260799885 CEST	53	61469	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.271786928 CEST	50224	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.279458046 CEST	53	50224	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.349579096 CEST	63656	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.356869936 CEST	53	63656	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.358431101 CEST	59053	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.365243912 CEST	53	59053	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:35.365823030 CEST	62301	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:35.372757912 CEST	53	62301	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:36.622288942 CEST	51338	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:37.394170046 CEST	53	53302	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.682678938 CEST	57380	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.689836979 CEST	53	57380	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.691230059 CEST	63770	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.699381113 CEST	53	63770	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.702835083 CEST	57515	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.710211992 CEST	53	57515	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.927746058 CEST	59945	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.935257912 CEST	53	59945	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.956454992 CEST	52916	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.963732004 CEST	53	52916	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:42.964335918 CEST	53809	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:42.971285105 CEST	53	53809	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:44.572082996 CEST	51146	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:44.578984976 CEST	53	51146	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:45.408552885 CEST	61489	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:45.415719986 CEST	53	61489	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:45.421010971 CEST	49596	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:45.428227901 CEST	53	49596	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:45.437627077 CEST	58771	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:45.445269108 CEST	53	58771	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:45.454602957 CEST	59257	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:45.461590052 CEST	53	59257	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:45.464390993 CEST	51736	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:45.471822977 CEST	53	51736	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:50.363327026 CEST	58440	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:50.370223045 CEST	53	58440	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:50.391921997 CEST	57769	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:50.398669004 CEST	53	57769	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:50.399194002 CEST	58591	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:50.405997992 CEST	53	58591	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.525994062 CEST	49434	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.526166916 CEST	56492	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.526312113 CEST	51970	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.533005953 CEST	53	56492	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.533055067 CEST	53	49434	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.533082962 CEST	53	51970	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.533822060 CEST	49307	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.534172058 CEST	62926	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.534300089 CEST	51139	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.541050911 CEST	53	49307	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.541141987 CEST	53	62926	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.541173935 CEST	53	51139	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.543509007 CEST	52901	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.543675900 CEST	59231	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.544281006 CEST	54365	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.550710917 CEST	53	52901	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.550847054 CEST	53	59231	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.551410913 CEST	64993	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.551656961 CEST	54318	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.552236080 CEST	53	54365	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.558871984 CEST	53	54318	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.558903933 CEST	53	64993	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.559551001 CEST	60697	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.559704065 CEST	52369	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.566632032 CEST	53	52369	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.566679955 CEST	53	60697	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.567260981 CEST	52605	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.568804026 CEST	53230	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:53.573967934 CEST	53	52605	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:53.576980114 CEST	53	53230	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.950555086 CEST	57895	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.958060980 CEST	53	57895	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.958645105 CEST	59981	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.965627909 CEST	53	59981	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.973840952 CEST	51983	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.980232000 CEST	49342	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.981446028 CEST	53	51983	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.983932972 CEST	49833	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.987591028 CEST	53	49342	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.991372108 CEST	53	49833	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:58.992537022 CEST	63911	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.996990919 CEST	55115	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:58.999923944 CEST	53	63911	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:59.003674030 CEST	53	55115	1.1.1.1	192.168.2.4
Oct 14, 2024 11:02:59.038819075 CEST	63863	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:02:59.046580076 CEST	53	63863	1.1.1.1	192.168.2.4
Oct 14, 2024 11:03:02.270967960 CEST	50316	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:02.278947115 CEST	53	50316	1.1.1.1	192.168.2.4
Oct 14, 2024 11:03:02.280034065 CEST	54784	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:02.286701918 CEST	53	54784	1.1.1.1	192.168.2.4
Oct 14, 2024 11:03:23.480992079 CEST	61670	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:23.487677097 CEST	53	61670	1.1.1.1	192.168.2.4
Oct 14, 2024 11:03:23.488235950 CEST	51918	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:23.494829893 CEST	53	51918	1.1.1.1	192.168.2.4
Oct 14, 2024 11:03:24.003036976 CEST	51836	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:28.679308891 CEST	55563	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:03:28.686626911 CEST	53	55563	1.1.1.1	192.168.2.4
Oct 14, 2024 11:04:04.503015041 CEST	53799	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:04:04.510263920 CEST	53	53799	1.1.1.1	192.168.2.4
Oct 14, 2024 11:04:04.511540890 CEST	52761	53	192.168.2.4	1.1.1.1
Oct 14, 2024 11:04:04.518568039 CEST	53	52761	1.1.1.1	192.168.2.4
Oct 14, 2024 11:04:05.018018007 CEST	59003	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 11:02:30.170020103 CEST	192.168.2.4	1.1.1.1	0x1627	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:30.189754963 CEST	192.168.2.4	1.1.1.1	0xe3e4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:33.682068110 CEST	192.168.2.4	1.1.1.1	0xc206	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.682352066 CEST	192.168.2.4	1.1.1.1	0xa44c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.701639891 CEST	192.168.2.4	1.1.1.1	0x3fe3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.704663038 CEST	192.168.2.4	1.1.1.1	0x1a88	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.709968090 CEST	192.168.2.4	1.1.1.1	0x6bc9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:33.714962959 CEST	192.168.2.4	1.1.1.1	0x2931	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:34.780591011 CEST	192.168.2.4	1.1.1.1	0x3ffd	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:34.788820028 CEST	192.168.2.4	1.1.1.1	0x2fab	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:34.804629087 CEST	192.168.2.4	1.1.1.1	0x92df	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:35.202682972 CEST	192.168.2.4	1.1.1.1	0xa0c0	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.203958988 CEST	192.168.2.4	1.1.1.1	0xdced	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.212418079 CEST	192.168.2.4	1.1.1.1	0xd98e	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.213951111 CEST	192.168.2.4	1.1.1.1	0x925a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.243581057 CEST	192.168.2.4	1.1.1.1	0x675d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.246448040 CEST	192.168.2.4	1.1.1.1	0x47a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:35.253927946 CEST	192.168.2.4	1.1.1.1	0xa43d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.271786928 CEST	192.168.2.4	1.1.1.1	0x2d0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:35.349579096 CEST	192.168.2.4	1.1.1.1	0x72f4	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.358431101 CEST	192.168.2.4	1.1.1.1	0x5b6a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.365823030 CEST	192.168.2.4	1.1.1.1	0xaa66	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:36.622288942 CEST	192.168.2.4	1.1.1.1	0x594b	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.682678938 CEST	192.168.2.4	1.1.1.1	0x307e	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.691230059 CEST	192.168.2.4	1.1.1.1	0x507f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.702835083 CEST	192.168.2.4	1.1.1.1	0x2b29	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:42.927746058 CEST	192.168.2.4	1.1.1.1	0x3979	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.956454992 CEST	192.168.2.4	1.1.1.1	0xed99	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.964335918 CEST	192.168.2.4	1.1.1.1	0x48da	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:44.572082996 CEST	192.168.2.4	1.1.1.1	0x610a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:45.408552885 CEST	192.168.2.4	1.1.1.1	0xd83e	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.421010971 CEST	192.168.2.4	1.1.1.1	0xe8ab	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.437627077 CEST	192.168.2.4	1.1.1.1	0x3bbd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:45.454602957 CEST	192.168.2.4	1.1.1.1	0xe5ba	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.464390993 CEST	192.168.2.4	1.1.1.1	0x1791	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:50.363327026 CEST	192.168.2.4	1.1.1.1	0x6fd7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:50.391921997 CEST	192.168.2.4	1.1.1.1	0x4e99	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:50.399194002 CEST	192.168.2.4	1.1.1.1	0xaa9b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:53.525994062 CEST	192.168.2.4	1.1.1.1	0x3193	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.526166916 CEST	192.168.2.4	1.1.1.1	0x71d7	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.526312113 CEST	192.168.2.4	1.1.1.1	0x2d2c	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533822060 CEST	192.168.2.4	1.1.1.1	0xf1cf	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.534172058 CEST	192.168.2.4	1.1.1.1	0xa38f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.534300089 CEST	192.168.2.4	1.1.1.1	0x68d4	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.543509007 CEST	192.168.2.4	1.1.1.1	0x1626	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:53.543675900 CEST	192.168.2.4	1.1.1.1	0x944	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 11:02:53.544281006 CEST	192.168.2.4	1.1.1.1	0xc4d3	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:53.551410913 CEST	192.168.2.4	1.1.1.1	0xd777	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.551656961 CEST	192.168.2.4	1.1.1.1	0x1165	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.559551001 CEST	192.168.2.4	1.1.1.1	0x6d0f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.559704065 CEST	192.168.2.4	1.1.1.1	0xb9ab	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.567260981 CEST	192.168.2.4	1.1.1.1	0x74b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 11:02:53.568804026 CEST	192.168.2.4	1.1.1.1	0xa0b8	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:58.950555086 CEST	192.168.2.4	1.1.1.1	0xbf8f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.958645105 CEST	192.168.2.4	1.1.1.1	0xcb0c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 11:02:58.973840952 CEST	192.168.2.4	1.1.1.1	0xb2f9	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.980232000 CEST	192.168.2.4	1.1.1.1	0x4a50	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.983932972 CEST	192.168.2.4	1.1.1.1	0x86ea	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.992537022 CEST	192.168.2.4	1.1.1.1	0x7d5e	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.996990919 CEST	192.168.2.4	1.1.1.1	0x9b45	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 11:02:59.038819075 CEST	192.168.2.4	1.1.1.1	0xb03d	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:03:02.270967960 CEST	192.168.2.4	1.1.1.1	0x63f3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:02.280034065 CEST	192.168.2.4	1.1.1.1	0xb81	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:03:23.480992079 CEST	192.168.2.4	1.1.1.1	0xe9de	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:23.488235950 CEST	192.168.2.4	1.1.1.1	0xf945	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:03:24.003036976 CEST	192.168.2.4	1.1.1.1	0x9bbd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:28.679308891 CEST	192.168.2.4	1.1.1.1	0x5eb6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:04:04.503015041 CEST	192.168.2.4	1.1.1.1	0x5441	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:04:04.511540890 CEST	192.168.2.4	1.1.1.1	0x7128	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 11:04:05.018018007 CEST	192.168.2.4	1.1.1.1	0xb4f9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 11:02:30.110990047 CEST	1.1.1.1	192.168.2.4	0x9b5b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:30.180692911 CEST	1.1.1.1	192.168.2.4	0x1627	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.689217091 CEST	1.1.1.1	192.168.2.4	0xc206	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:33.689217091 CEST	1.1.1.1	192.168.2.4	0xc206	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.689521074 CEST	1.1.1.1	192.168.2.4	0xa44c	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.708832026 CEST	1.1.1.1	192.168.2.4	0x3fe3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.711703062 CEST	1.1.1.1	192.168.2.4	0x1a88	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:33.718251944 CEST	1.1.1.1	192.168.2.4	0x6bc9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 11:02:33.722251892 CEST	1.1.1.1	192.168.2.4	0x2931	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:34.787580013 CEST	1.1.1.1	192.168.2.4	0x3ffd	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:34.795871973 CEST	1.1.1.1	192.168.2.4	0x2fab	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.210064888 CEST	1.1.1.1	192.168.2.4	0xa0c0	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:35.210064888 CEST	1.1.1.1	192.168.2.4	0xa0c0	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.211474895 CEST	1.1.1.1	192.168.2.4	0xdced	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.219692945 CEST	1.1.1.1	192.168.2.4	0xd98e	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.219692945 CEST	1.1.1.1	192.168.2.4	0xd98e	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.220702887 CEST	1.1.1.1	192.168.2.4	0x925a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.234998941 CEST	1.1.1.1	192.168.2.4	0xce20	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:35.234998941 CEST	1.1.1.1	192.168.2.4	0xce20	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.251151085 CEST	1.1.1.1	192.168.2.4	0x675d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:35.251151085 CEST	1.1.1.1	192.168.2.4	0x675d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.260799885 CEST	1.1.1.1	192.168.2.4	0xa43d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.356869936 CEST	1.1.1.1	192.168.2.4	0x72f4	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:35.356869936 CEST	1.1.1.1	192.168.2.4	0x72f4	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:35.356869936 CEST	1.1.1.1	192.168.2.4	0x72f4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.365243912 CEST	1.1.1.1	192.168.2.4	0x5b6a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:35.372757912 CEST	1.1.1.1	192.168.2.4	0xaa66	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 11:02:37.368308067 CEST	1.1.1.1	192.168.2.4	0x594b	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:42.689836979 CEST	1.1.1.1	192.168.2.4	0x307e	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:42.689836979 CEST	1.1.1.1	192.168.2.4	0x307e	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:42.689836979 CEST	1.1.1.1	192.168.2.4	0x307e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.699381113 CEST	1.1.1.1	192.168.2.4	0x507f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.935257912 CEST	1.1.1.1	192.168.2.4	0x3979	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:42.963732004 CEST	1.1.1.1	192.168.2.4	0xed99	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:44.571968079 CEST	1.1.1.1	192.168.2.4	0xcc32	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:44.571968079 CEST	1.1.1.1	192.168.2.4	0xcc32	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.415719986 CEST	1.1.1.1	192.168.2.4	0xd83e	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:45.415719986 CEST	1.1.1.1	192.168.2.4	0xd83e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.428227901 CEST	1.1.1.1	192.168.2.4	0xe8ab	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.434581041 CEST	1.1.1.1	192.168.2.4	0xca77	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:45.461590052 CEST	1.1.1.1	192.168.2.4	0xe5ba	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:46.068862915 CEST	1.1.1.1	192.168.2.4	0x392e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:50.398669004 CEST	1.1.1.1	192.168.2.4	0x4e99	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533005953 CEST	1.1.1.1	192.168.2.4	0x71d7	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533005953 CEST	1.1.1.1	192.168.2.4	0x71d7	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533055067 CEST	1.1.1.1	192.168.2.4	0x3193	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533082962 CEST	1.1.1.1	192.168.2.4	0x2d2c	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:53.533082962 CEST	1.1.1.1	192.168.2.4	0x2d2c	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541050911 CEST	1.1.1.1	192.168.2.4	0xf1cf	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541141987 CEST	1.1.1.1	192.168.2.4	0xa38f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.541173935 CEST	1.1.1.1	192.168.2.4	0x68d4	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.550710917 CEST	1.1.1.1	192.168.2.4	0x1626	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.550847054 CEST	1.1.1.1	192.168.2.4	0x944	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.552236080 CEST	1.1.1.1	192.168.2.4	0xc4d3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.552236080 CEST	1.1.1.1	192.168.2.4	0xc4d3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.552236080 CEST	1.1.1.1	192.168.2.4	0xc4d3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.552236080 CEST	1.1.1.1	192.168.2.4	0xc4d3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 11:02:53.558871984 CEST	1.1.1.1	192.168.2.4	0x1165	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.558903933 CEST	1.1.1.1	192.168.2.4	0xd777	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:53.558903933 CEST	1.1.1.1	192.168.2.4	0xd777	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.558903933 CEST	1.1.1.1	192.168.2.4	0xd777	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.558903933 CEST	1.1.1.1	192.168.2.4	0xd777	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.558903933 CEST	1.1.1.1	192.168.2.4	0xd777	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.566632032 CEST	1.1.1.1	192.168.2.4	0xb9ab	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.566632032 CEST	1.1.1.1	192.168.2.4	0xb9ab	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.566632032 CEST	1.1.1.1	192.168.2.4	0xb9ab	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.566632032 CEST	1.1.1.1	192.168.2.4	0xb9ab	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:53.566679955 CEST	1.1.1.1	192.168.2.4	0x6d0f	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.955785990 CEST	1.1.1.1	192.168.2.4	0xda16	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:58.955785990 CEST	1.1.1.1	192.168.2.4	0xda16	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.958060980 CEST	1.1.1.1	192.168.2.4	0xbf8f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.981446028 CEST	1.1.1.1	192.168.2.4	0xb2f9	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.981446028 CEST	1.1.1.1	192.168.2.4	0xb2f9	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.981446028 CEST	1.1.1.1	192.168.2.4	0xb2f9	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.981446028 CEST	1.1.1.1	192.168.2.4	0xb2f9	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.987591028 CEST	1.1.1.1	192.168.2.4	0x4a50	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:02:58.987591028 CEST	1.1.1.1	192.168.2.4	0x4a50	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.991372108 CEST	1.1.1.1	192.168.2.4	0x86ea	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.991372108 CEST	1.1.1.1	192.168.2.4	0x86ea	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.991372108 CEST	1.1.1.1	192.168.2.4	0x86ea	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.991372108 CEST	1.1.1.1	192.168.2.4	0x86ea	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:02:58.999923944 CEST	1.1.1.1	192.168.2.4	0x7d5e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:00.282224894 CEST	1.1.1.1	192.168.2.4	0x4e8d	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:03:00.282224894 CEST	1.1.1.1	192.168.2.4	0x4e8d	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:03:02.278947115 CEST	1.1.1.1	192.168.2.4	0x63f3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:23.487677097 CEST	1.1.1.1	192.168.2.4	0xe9de	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:24.010121107 CEST	1.1.1.1	192.168.2.4	0x9bbd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:03:24.010121107 CEST	1.1.1.1	192.168.2.4	0x9bbd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:04:04.510263920 CEST	1.1.1.1	192.168.2.4	0x5441	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:04:05.025633097 CEST	1.1.1.1	192.168.2.4	0xb4f9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:04:05.025633097 CEST	1.1.1.1	192.168.2.4	0xb4f9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	54853	34.107.221.82	80	8056	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:02:34.390969038 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:34.887026072 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	54860	34.107.221.82	80	8056	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:02:35.260778904 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:35.719572067 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 54579 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	54865	34.107.221.82	80	8056	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:02:36.052074909 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:37.363185883 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43915 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:37.363239050 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43915 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:37.363286972 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43915 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:42.926801920 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:43.022918940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43921 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:44.555526018 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:44.651591063 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43923 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:45.439735889 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:45.535288095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43924 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:46.057245016 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:46.153036118 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:49.663232088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:49.781779051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43928 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:51.505953074 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:51.602308035 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43930 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:51.994302988 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:52.089926958 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43931 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:59.440176010 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:59.536101103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43938 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:59.755470037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:02:59.851205111 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43938 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:02:59.977731943 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:00.073914051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43939 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:00.237601995 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:00.333292007 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43939 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:02.763921976 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:02.860066891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43941 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:12.880718946 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:22.887676001 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:24.002691031 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:24.098562956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43963 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:28.676268101 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:28.772269964 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43967 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:29.242008924 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:03:29.337590933 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 43968 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:03:39.345844030 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:49.353287935 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:59.360043049 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:04:05.017800093 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 11:04:05.113975048 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 44004 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 11:04:15.131555080 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:04:25.143745899 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	54868	34.107.221.82	80	8056	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:02:42.766120911 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	54869	34.107.221.82	80	8056	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:02:43.529983044 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:44.006567001 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83908 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:45.431174040 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:45.532061100 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83910 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:45.897753000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:45.999118090 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83910 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:49.643042088 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:49.743932009 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83914 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:51.481189966 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:51.582144022 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83916 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:51.610189915 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:51.711422920 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83916 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:52.093364000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:52.194231033 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83917 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:59.538903952 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:59.639977932 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83924 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:02:59.854219913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:02:59.955168962 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83924 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:00.083321095 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:00.184283972 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83925 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:00.336194992 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:00.437414885 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83925 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:02.863531113 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:02.964478970 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83927 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:12.981040001 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:22.987962008 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:24.101795912 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:24.202867031 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83949 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:28.775538921 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:28.876722097 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83953 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:29.340286970 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:03:29.441066027 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83954 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:03:39.446837902 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:49.453584909 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:03:59.460508108 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:04:05.122097015 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 11:04:05.224545002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 83990 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 11:04:15.231770992 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 11:04:25.244029999 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	1
Start time:	05:02:16
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x110000
File size:	919'552 bytes
MD5 hash:	3C619512D7906FBDE57E4C27BC8358B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:02:16
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x860000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:02:16
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:02:21
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x860000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:02:21
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:02:22
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x860000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:02:22
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:02:23
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x860000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:02:23
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:02:24
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x860000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:02:24
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:02:24
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:02:24
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:02:25
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:02:27
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28238265-48d9-4b34-a6ae-a49d069ab035} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2802996f310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	05:02:31
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4268 -parentBuildID 20230927232528 -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba5aafc-c52d-4af8-a559-38051b48bb48} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 2803bb64410 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	05:02:44
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaafa656-6b12-4778-a2b0-cfba142bdc4a} 8056 "\\.\pipe\gecko-crash-server-pipe.8056" 28029972f10 utility
Imagebase:	0x7ff72bec0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1587
Total number of Limit Nodes:	58

Executed Functions

Function 001142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0011430D

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

GetCurrentProcess.KERNEL32(?,001ACB64,00000000,?,?), ref: 00114422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00114429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00114454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00114466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00114474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0011447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001144A0

Strings

|O, xrefs: 001536F8
kernel32.dll, xrefs: 0011444F
GetNativeSystemInfo, xrefs: 00114460

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 748f170faf2c8b2e4f9fac8dbbc1c7ec9c3464d1d24a6bec13762d39d4240557
Instruction ID: 67385446f9f89ebad980138ab2f914aa52b08c8505828cb999e875150228a19a
Opcode Fuzzy Hash: 748f170faf2c8b2e4f9fac8dbbc1c7ec9c3464d1d24a6bec13762d39d4240557
Instruction Fuzzy Hash: 43A1927690A2C0EFC719C7EA78C15DD7FA47B26B61B1848A9D4519FE22D3304AC8CB71

Function 001142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001150AA,?,?,00000000,00000000), ref: 001142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001150AA,?,?,00000000,00000000), ref: 001142C9
LoadResource.KERNEL32(?,00000000,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20), ref: 001535BE
SizeofResource.KERNEL32(?,00000000,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20), ref: 001535D3
LockResource.KERNEL32(001150AA,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20,?), ref: 001535E6

Strings

SCRIPT, xrefs: 001142BF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 35446feb399535b0c235ad2f973350ef9696f18b09a39c4b788b009944339cd9
Instruction ID: 24b94e386d054d8b553e0432767dfa9fe33659e3309c4b9aa0586b2217521a96
Opcode Fuzzy Hash: 35446feb399535b0c235ad2f973350ef9696f18b09a39c4b788b009944339cd9
Instruction Fuzzy Hash: A6118E74200700BFD7258B65EC48F6B7BBAEBC6B51F104169F452D6650DB71DC808A70

Function 00152BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00112B6B

Part of subcall function 00113A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001E1418,?,00112E7F,?,?,?,00000000), ref: 00113A78

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,001D2224), ref: 00152C10
ShellExecuteW.SHELL32(00000000,?,?,001D2224), ref: 00152C17

Strings

runas, xrefs: 00152C0B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b8386eb1a52cfd107d8f7c7efce91a99e39db921be15ddb60b420808dbc7e843
Instruction ID: 85f863dd578b7a354b6bd61b1a819049d56e83718d45a24fa799cadcaef43d55
Opcode Fuzzy Hash: b8386eb1a52cfd107d8f7c7efce91a99e39db921be15ddb60b420808dbc7e843
Instruction Fuzzy Hash: 0F11D6312083456AC71CFF60E8919FEB7A4AFB6350F44143DF1A2561A2CF319AC9D752

Function 0017D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0017D501
Process32FirstW.KERNEL32(00000000,?), ref: 0017D50F
Process32NextW.KERNEL32(00000000,?), ref: 0017D52F
CloseHandle.KERNELBASE(00000000), ref: 0017D5DC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4f811193b7285d5a0cb7d2dc6ca6d4161ee4b67419b523bf3cfbfb3b1e497a2f
Instruction ID: 2098306f7e2747848776ff96c9223e9476df6d25120463af7580aa66f561d800
Opcode Fuzzy Hash: 4f811193b7285d5a0cb7d2dc6ca6d4161ee4b67419b523bf3cfbfb3b1e497a2f
Instruction Fuzzy Hash: 1B31D1711083059FD304EF54D881AAFBBF8EFA9344F10492DF589871A1EB719989CB92

Function 0017DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00155222), ref: 0017DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0017DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0017DBEE
FindClose.KERNEL32(00000000), ref: 0017DBFA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 73daa6d1d4107bd8bd9ac3f6ca5b714391b6803861fff69dc3c196fed47e0404
Instruction ID: 8563f46e619ae25d6776cf5b43e6e4d5a115282c8fbe0e4e6a591b6496655551
Opcode Fuzzy Hash: 73daa6d1d4107bd8bd9ac3f6ca5b714391b6803861fff69dc3c196fed47e0404
Instruction Fuzzy Hash: CDF0A930810918A782216B78AC0D8AA37BD9F03334B10870AF83AC24E0EBB09D9486D6

Function 00134CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000,?,001428E9), ref: 00134D09
TerminateProcess.KERNEL32(00000000,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000,?,001428E9), ref: 00134D10
ExitProcess.KERNEL32 ref: 00134D22

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c2cee10e7cffc7409641f8951354a431a97f3c5719e58471da751fa5dba0f99b
Instruction ID: 113e28d1f47540e6e9f71a834f5be6a5a87788cb7937355d75e6c891b4d7f4cd
Opcode Fuzzy Hash: c2cee10e7cffc7409641f8951354a431a97f3c5719e58471da751fa5dba0f99b
Instruction Fuzzy Hash: EEE0B671000148ABCF11AF94DD09A593B69FF62791F104014FC159A532CB35EE82CA80

Function 0019AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0019B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0019B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0019B1D4
_wcslen.LIBCMT ref: 0019B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0019B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0019B236
_wcslen.LIBCMT ref: 0019B332

Part of subcall function 001805A7: GetStdHandle.KERNEL32(000000F6), ref: 001805C6

_wcslen.LIBCMT ref: 0019B34B
_wcslen.LIBCMT ref: 0019B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0019B3B6
GetLastError.KERNEL32(00000000), ref: 0019B407
CloseHandle.KERNEL32(?), ref: 0019B439
CloseHandle.KERNEL32(00000000), ref: 0019B44A
CloseHandle.KERNEL32(00000000), ref: 0019B45C
CloseHandle.KERNEL32(00000000), ref: 0019B46E
CloseHandle.KERNEL32(?), ref: 0019B4E3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7478b195951c36fac5f4879d6f6ace0ca0a4f73718f59f4939a1ae79e7eabc4c
Instruction ID: 597040f6538708517384a0aea7a909e7461ad2e547b9c10ebbbd04e0eb141346
Opcode Fuzzy Hash: 7478b195951c36fac5f4879d6f6ace0ca0a4f73718f59f4939a1ae79e7eabc4c
Instruction Fuzzy Hash: 8EF1A0316083009FCB15EF24D991B6EBBE1BF85714F14856DF8999B2A2DB31EC44CB92

Function 0011D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0011D807
timeGetTime.WINMM ref: 0011DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0011DB28
TranslateMessage.USER32(?), ref: 0011DB7B
DispatchMessageW.USER32(?), ref: 0011DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0011DB9F
Sleep.KERNELBASE(0000000A), ref: 0011DBB1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d1288786811a59b9d380ae0f9a5510a4d63621791285e1012549aed3d8f7626e
Instruction ID: bae8d6837c713a5a6e19fa0e8c3a47b61f70541fdc520bbcaa221d1924beb0ac
Opcode Fuzzy Hash: d1288786811a59b9d380ae0f9a5510a4d63621791285e1012549aed3d8f7626e
Instruction Fuzzy Hash: E942F130608741EFD72DCF24E884BAAB7E0BF56314F15852DE4968B691D7B4E8D4CB82

Function 00112CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00112D07
RegisterClassExW.USER32(00000030), ref: 00112D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00112D42
InitCommonControlsEx.COMCTL32(?), ref: 00112D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00112D6F
LoadIconW.USER32(000000A9), ref: 00112D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00112D94

Strings

0, xrefs: 00112CE9
TaskbarCreated, xrefs: 00112D37
+, xrefs: 00112CF0
AutoIt v3 GUI, xrefs: 00112D23

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fd33a4f057e1a8af2718b703646085b7ca3ab56137726dc5729ff5f285761d1e
Instruction ID: bd73ecfc064f162fa8089a07fd1b5809d2fc8f59eeeb39376f4ab3229fdf7ca4
Opcode Fuzzy Hash: fd33a4f057e1a8af2718b703646085b7ca3ab56137726dc5729ff5f285761d1e
Instruction Fuzzy Hash: 7B21C3B5901258AFDB00DFE4E989BDDBBB4FB09714F00811AF511AA6A0D7B54584CF91

Function 0015065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0015039A: CreateFileW.KERNELBASE(00000000,00000000,?,00150704,?,?,00000000,?,00150704,00000000,0000000C), ref: 001503B7

GetLastError.KERNEL32 ref: 0015076F
__dosmaperr.LIBCMT ref: 00150776
GetFileType.KERNELBASE(00000000), ref: 00150782
GetLastError.KERNEL32 ref: 0015078C
__dosmaperr.LIBCMT ref: 00150795
CloseHandle.KERNEL32(00000000), ref: 001507B5
CloseHandle.KERNEL32(?), ref: 001508FF
GetLastError.KERNEL32 ref: 00150931
__dosmaperr.LIBCMT ref: 00150938

Strings

H, xrefs: 001508BD

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a8be6f615e05bc767fc3184c7b159935232cbf032b3b15397b8506b70545e0df
Instruction ID: abb50ac3971bc6ec2e20a1ac422e43a9dce13e92e63b1f108e496e69e788d332
Opcode Fuzzy Hash: a8be6f615e05bc767fc3184c7b159935232cbf032b3b15397b8506b70545e0df
Instruction Fuzzy Hash: E1A11732A00144CFDF1AAFA8D891BAE7BA0AB1A325F14015DFC259F391DB319D57CB91

Function 0011344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00113A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001E1418,?,00112E7F,?,?,?,00000000), ref: 00113A78

Part of subcall function 00113357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00113379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0011356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0015318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001531CE
RegCloseKey.ADVAPI32(?), ref: 00153210
_wcslen.LIBCMT ref: 00153277
_wcslen.LIBCMT ref: 00153286

Strings

\Include\, xrefs: 00113527
\, xrefs: 0015328C
Software\AutoIt v3\AutoIt, xrefs: 00113560
Include, xrefs: 00153184, 001531C5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 48d4e814a0341b24a2aa2d54918a2a05a4c88b0bcb23a5b7e36c7d2a5abe74f3
Instruction ID: 4ec42dd5af27266eff69a189f6251b3dccc6bd164cf8e2c54a62973e76b60ab6
Opcode Fuzzy Hash: 48d4e814a0341b24a2aa2d54918a2a05a4c88b0bcb23a5b7e36c7d2a5abe74f3
Instruction Fuzzy Hash: E4719E715043449EC318DFA5EC929AFBBE8FF99740F40042EF5559B1A0EB709A89CFA1

Function 00112B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00112B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00112B9D
LoadIconW.USER32(00000063), ref: 00112BB3
LoadIconW.USER32(000000A4), ref: 00112BC5
LoadIconW.USER32(000000A2), ref: 00112BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00112BEF
RegisterClassExW.USER32(?), ref: 00112C40

Part of subcall function 00112CD4: GetSysColorBrush.USER32(0000000F), ref: 00112D07
Part of subcall function 00112CD4: RegisterClassExW.USER32(00000030), ref: 00112D31
Part of subcall function 00112CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00112D42
Part of subcall function 00112CD4: InitCommonControlsEx.COMCTL32(?), ref: 00112D5F
Part of subcall function 00112CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00112D6F
Part of subcall function 00112CD4: LoadIconW.USER32(000000A9), ref: 00112D85
Part of subcall function 00112CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00112D94

Strings

AutoIt v3, xrefs: 00112C2F
0, xrefs: 00112C0F
#, xrefs: 00112C16

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e3ebe15430b94209254af83f21daa8e21ea28585f1a1e78e293caaff195ed85
Instruction ID: c71e8c28bc0b43ce0832ed4e7e5e82ba7fa2756cf02f39c2d7b291a292df611e
Opcode Fuzzy Hash: 3e3ebe15430b94209254af83f21daa8e21ea28585f1a1e78e293caaff195ed85
Instruction Fuzzy Hash: 56210974E00358BBDB109FE5EC95AAD7FB4FB48B60F04002AF500AAAA0D7B115C0CF90

Function 00113170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0011316A,?,?), ref: 001131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0011316A,?,?), ref: 00113204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00113227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0011316A,?,?), ref: 00113232
CreatePopupMenu.USER32 ref: 00113246
PostQuitMessage.USER32(00000000), ref: 00113267

Strings

TaskbarCreated, xrefs: 0011322D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 191bb093c1c64b55ab92bc984378f07bfc3431adb64e9ecc240ea81e0fb8a700
Instruction ID: b69d57e631b195b614431435d583b17098e465eabc0d725e219317877d38b76d
Opcode Fuzzy Hash: 191bb093c1c64b55ab92bc984378f07bfc3431adb64e9ecc240ea81e0fb8a700
Instruction Fuzzy Hash: 72412936340244BBDB1D7BB89D4DBFD366AE706354F040135F9329A9A5CB718AC097A1

Function 00111410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00111459
CoUninitialize.COMBASE ref: 001114F8
UnregisterHotKey.USER32(?), ref: 001116DD
DestroyWindow.USER32(?), ref: 001524B9
FreeLibrary.KERNEL32(?), ref: 0015251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0015254B

Strings

close all, xrefs: 00111454

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 37e43adb920d3b24339006d24cb9e63110ed50cb646bb7ca4ba25d9d6ae1da98
Instruction ID: a816e3341f212d8d2a63a39184ae451e99c8a32625fd48614b0a6863e9485c15
Opcode Fuzzy Hash: 37e43adb920d3b24339006d24cb9e63110ed50cb646bb7ca4ba25d9d6ae1da98
Instruction Fuzzy Hash: 5ED1BC32701222DFCB2DEF14C598BA9F7A0BF16700F1541ADE95A6B252DB30AC56CF90

Function 00112C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00112C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00112CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00111CAD,?), ref: 00112CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00111CAD,?), ref: 00112CCF

Strings

edit, xrefs: 00112CAC
AutoIt v3, xrefs: 00112C89, 00112C8E, 00112C8F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d578ad16c12d07c79b0339c409c3a54ac4692404b3bd2f608923e5f6c7e1d190
Instruction ID: 24c6c5d5ef01cd21cd2bf075b100f2b1910506961205f24db6e7201fd2d30264
Opcode Fuzzy Hash: d578ad16c12d07c79b0339c409c3a54ac4692404b3bd2f608923e5f6c7e1d190
Instruction Fuzzy Hash: 93F0DA755402D07AEB311797AC88E7B7EBDE7C7F60F00005AF900AA9A0C67118D1DAB0

Function 00113B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B83

Strings

Control Panel\Mouse, xrefs: 00113B3E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 12a9da0f28b469c9048fbbf244c319f73947643cb294e9f97fa5bd5c08ecf616
Instruction ID: 642452d541df93933241fa3e3a3c777e3b3f8a869c525235294a87971da3bbd2
Opcode Fuzzy Hash: 12a9da0f28b469c9048fbbf244c319f73947643cb294e9f97fa5bd5c08ecf616
Instruction Fuzzy Hash: 8A1127B5614208FFDB258FA5DC84AEFBBB8EF45744B10846AB815D7114E3319E809BA4

Function 00113923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001533A2

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00113A04

Strings

Line: , xrefs: 001533EB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: dae788f0ca57a168b1997d4029b56482f2cac176d45e6d22ab2c35da7b3589af
Instruction ID: 2eb0148cf9b69efa3abd140599ee3962fb8597af74191815f2bfca2fa8455109
Opcode Fuzzy Hash: dae788f0ca57a168b1997d4029b56482f2cac176d45e6d22ab2c35da7b3589af
Instruction Fuzzy Hash: F131D071408344AAC329EB60DC45BEFB7E8BF54724F00493AF5A997591EB709AC9C7C2

Function 0012FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00130668

Part of subcall function 001332A4: RaiseException.KERNEL32(?,?,?,0013068A,?,001E1444,?,?,?,?,?,?,0013068A,00111129,001D8738,00111129), ref: 00133304

__CxxThrowException@8.LIBVCRUNTIME ref: 00130685

Strings

Unknown exception, xrefs: 00130692

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 212b25279b9d73656f252256dd62131e8a8e9b1bd01c22c8fde54e5ce140e990
Instruction ID: 583fae43c9bb4c54a236b02fb0690aa3be944aa841cbaa03c03fa01344361655
Opcode Fuzzy Hash: 212b25279b9d73656f252256dd62131e8a8e9b1bd01c22c8fde54e5ce140e990
Instruction Fuzzy Hash: 76F0CD3490020DB7CB05BAE8E856C9E7BBC9E14310F604535B824D65D6EF71EA6ACA80

Function 001110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00111BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00111BF4
Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00111BFC
Part of subcall function 00111BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00111C07
Part of subcall function 00111BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00111C12
Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00111C1A
Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00111C22

Part of subcall function 00111B4A: RegisterWindowMessageW.USER32(00000004,?,001112C4), ref: 00111BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0011136A
OleInitialize.OLE32 ref: 00111388
CloseHandle.KERNEL32(00000000,00000000), ref: 001524AB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 86c6788fc924b0f50b5c0bf24191e152a4f1d3630315ecd7eddff7bd9abdc773
Instruction ID: 091b0afbc60dec2d1654a3ce14a4320ef3cfe75cfc21ceac13f6bc8bd1265a6f
Opcode Fuzzy Hash: 86c6788fc924b0f50b5c0bf24191e152a4f1d3630315ecd7eddff7bd9abdc773
Instruction Fuzzy Hash: 967191B59013C4BEC788DFB9A985A9D7AE1FF9A344394812AD40ADFB61E77044C1CF41

Function 0017C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00113923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00113A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0017C259
KillTimer.USER32(?,00000001,?,?), ref: 0017C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0017C270

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 8e57b74185b07ac261f78fdf04cfcfc115ca5884749342111694442ee175b931
Instruction ID: 44ca09820f1f474fb5a6992b001ae2989acb9f74e81af4a67c45d87378b70558
Opcode Fuzzy Hash: 8e57b74185b07ac261f78fdf04cfcfc115ca5884749342111694442ee175b931
Instruction Fuzzy Hash: 8E319570904344AFEB22DF649895BEBBBFCAB16304F10449DD6DEA7242C7745AC4CB91

Function 001486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001485CC,?,001D8CC8,0000000C), ref: 00148704
GetLastError.KERNEL32(?,001485CC,?,001D8CC8,0000000C), ref: 0014870E
__dosmaperr.LIBCMT ref: 00148739

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d6f923436baf32c7750ca444f63259813323fc5441fb7e2f7aa2615e15223ed5
Instruction ID: 0864b616b8f4fbcf6fcec5a40d3bff5ab6237f60c7499084e94aaf9618be6fcb
Opcode Fuzzy Hash: d6f923436baf32c7750ca444f63259813323fc5441fb7e2f7aa2615e15223ed5
Instruction Fuzzy Hash: AB014933A0566027D7A56734A885B7E674A5B92B78F3A0119F8188B1F3DFA0CCC28190

Function 0011DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0011DB7B
DispatchMessageW.USER32(?), ref: 0011DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0011DB9F
Sleep.KERNELBASE(0000000A), ref: 0011DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00161CC9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 0dc4bde6ce84175ee09f3c1ec6d8950c77205117e30db5a6322c1eeb40d13697
Instruction ID: 67baeaceca821a15c2bdf83ab3967108db4e92796985b992530947a487c256dc
Opcode Fuzzy Hash: 0dc4bde6ce84175ee09f3c1ec6d8950c77205117e30db5a6322c1eeb40d13697
Instruction Fuzzy Hash: 1DF0FE31644384ABE734CBB09C89FEE73ACEB86310F544529E65A974D0DB30A4C89B65

Function 00121310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001217F6

Strings

CALL, xrefs: 001217C6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8a00770f1d501ba65d31dfd9fe115044c749c63579fbd824fd76b96651c5d257
Instruction ID: aa99de9201513d9e44fe9437b32ca47b58eaad87b7b6a7be7701c9d883eadbe2
Opcode Fuzzy Hash: 8a00770f1d501ba65d31dfd9fe115044c749c63579fbd824fd76b96651c5d257
Instruction Fuzzy Hash: 4522BC70608251EFC718DF14E890B2ABBF1BFA5304F14896DF49A8B361D771E861CB82

Function 00112DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00152C8C

Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2

Part of subcall function 00112DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00112DC4

Strings

X, xrefs: 00152C5A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 3c1d9fd470641ff82ab34c65eaa49ff9402134d32c274e59cb3ecb6a740c83fb
Instruction ID: 4888aeeb07dbd3e2c9e029f4cfb657da4fcca78ea9021df8205ce2e12a2b9660
Opcode Fuzzy Hash: 3c1d9fd470641ff82ab34c65eaa49ff9402134d32c274e59cb3ecb6a740c83fb
Instruction Fuzzy Hash: 4E21D571A002589FCB45EF94D845BEE7BF8AF59304F00406AE415BB241DBB45A8D8FA1

Function 00113837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00113908

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4382b678ed46e413c1e7763855454ffd979478b29a16fbf75e7d011fec273029
Instruction ID: 5bbcbb4a2ec01485cfa615a86ec02eaff5b22adc963b86a48d517f32d689bb82
Opcode Fuzzy Hash: 4382b678ed46e413c1e7763855454ffd979478b29a16fbf75e7d011fec273029
Instruction Fuzzy Hash: 27318F70504701DFD721DF64D8847DBBBE8FB49718F00092EF9A997640E771AA84CB92

Function 0012F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0012F661

Part of subcall function 0011D730: GetInputState.USER32 ref: 0011D807

Sleep.KERNEL32(00000000), ref: 0016F2DE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 89b735d2402fee93055f9eef54c546387492dbb8de69397e2ab05dd585c758db
Instruction ID: 95b5bbedf1a8f228658ab67d0af9dd07e25467f7028163111dadc53ede0de088
Opcode Fuzzy Hash: 89b735d2402fee93055f9eef54c546387492dbb8de69397e2ab05dd585c758db
Instruction Fuzzy Hash: DEF08C312442159FD358EF69E849BAAB7E9EF56760F000039E859C72A0EB70A880CF90

Function 0011B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0011BB4E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: b436f7276a22dbaca630cd7e2f7d11664e2fa5307188970523a4e33994066326
Instruction ID: deb100187017e361a3147853c9b8d37930bcd4dea28aaede2e5709b35df3774f
Opcode Fuzzy Hash: b436f7276a22dbaca630cd7e2f7d11664e2fa5307188970523a4e33994066326
Instruction Fuzzy Hash: AD32AB74A082099FDB29CF54C8E4AFEB7B9FF48304F158069E905AB291C774ED91CB91

Function 00114ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00114E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E9C
Part of subcall function 00114E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00114EAE
Part of subcall function 00114E90: FreeLibrary.KERNEL32(00000000,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EFD

Part of subcall function 00114E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E62
Part of subcall function 00114E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00114E74
Part of subcall function 00114E59: FreeLibrary.KERNEL32(00000000,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E87

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 932e3053a9db4cc65f6eea81051733c13990a37663e0178b1094de328ebebd07
Instruction ID: 5cb87280bfdfbcfc7c9194a180292ca591bfd75f45212574b9565e47c16767d7
Opcode Fuzzy Hash: 932e3053a9db4cc65f6eea81051733c13990a37663e0178b1094de328ebebd07
Instruction Fuzzy Hash: 60112731600206ABCF18BB64DC02FED77A59F60B10F10843EF552AA2C1EF759A85D790

Function 00148402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00148440

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 94f13716b65728dfd6692390d2456600459d137e505b704aeae29095c9a402e4
Instruction ID: abf4665fcd5f2aee132ce14921e4a1ffc978ade302d7f843cd47d3fa316f9672
Opcode Fuzzy Hash: 94f13716b65728dfd6692390d2456600459d137e505b704aeae29095c9a402e4
Instruction Fuzzy Hash: 8411187590410AAFCB05DF58E941A9E7BF5EF48314F154059FC08AB312DB31DA11CBA5

Function 00145000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00144C7D: RtlAllocateHeap.NTDLL(00000008,00111129,00000000,?,00142E29,00000001,00000364,?,?,?,0013F2DE,00143863,001E1444,?,0012FDF5,?), ref: 00144CBE

_free.LIBCMT ref: 0014506C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: f3dd06ecfda4c4c20c097e655102bf4fb40989fa7111eda4a402390735178a1a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C70126762047056BE3218F65D881A9AFBE9FB89370F65051DF19483281EB30A805C6B4

Function 0013E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: bedcf0782a71e7d8b631b8f7356dfbfe6c55bcf5e0c00dc08e1183267278cfbb
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3AF0C872511B14D7D7313A6A9C06B9B37D89F72335F110719F825931E2DB74D8028AA5

Function 00144C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00111129,00000000,?,00142E29,00000001,00000364,?,?,?,0013F2DE,00143863,001E1444,?,0012FDF5,?), ref: 00144CBE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 45671d387ab6eb8cbba1c04f24f9da2527f0ab3dc60d93699901cf9c71aed224
Instruction ID: 46a7b6af6d20dce0eeeded315fc140211edc0447be5c33b97b18f255431e342d
Opcode Fuzzy Hash: 45671d387ab6eb8cbba1c04f24f9da2527f0ab3dc60d93699901cf9c71aed224
Instruction Fuzzy Hash: 93F0E231602224A7EB215F62AC89B5B3788BF517B1F1D4125BC19AA2A0CB30E80196E0

Function 00143820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e142e0cab25f8574ec04079af9b1e72137fcc82864755bf5347d2a67a06175b3
Instruction ID: 5d956d73bfb088b60af83cb995b4b03fdbdd6131b58f07c30ed3f834020a00b7
Opcode Fuzzy Hash: e142e0cab25f8574ec04079af9b1e72137fcc82864755bf5347d2a67a06175b3
Instruction Fuzzy Hash: 06E09B31501226A7E73126B79C05B9BB749AF527B0F150335BC35969F1DB21ED0185E1

Function 00114F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114F6D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a9231c95f700b90363a7c7c7358424098c7036bc3cd4cff23a30955ce73b774f
Instruction ID: 53dd77e8029383c802beaf4ef75e9dc61cb1d0433c27be2250aafc0b9cc3ca0d
Opcode Fuzzy Hash: a9231c95f700b90363a7c7c7358424098c7036bc3cd4cff23a30955ce73b774f
Instruction Fuzzy Hash: CCF03971105752CFDB3C9F68D4908A2BBE4EF15729324897EE1EA86621C7319889DF90

Function 001A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001A2A66

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 32db2ab9ce5106e746cb62c6302128972e46a2c0fa3e2b68270d4d9aa8b51e05
Instruction ID: 1e8e02ddfd3b11f003758a493fcf33f357ae521f146dfaa623709970ef789ac3
Opcode Fuzzy Hash: 32db2ab9ce5106e746cb62c6302128972e46a2c0fa3e2b68270d4d9aa8b51e05
Instruction Fuzzy Hash: 18E04F3A350116AFC754EA34DC809FA735CEB61395B104536EC2AD3500DB309A9596E0

Function 001130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0011314E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 313609029f3d1cdf2aa9fd6d1673e9ada2c6c49a59dee9cff63594a3de8591f2
Instruction ID: e52a966e6a6af9fda8e45661f339a4789fea861c096f62132970df231de92aa3
Opcode Fuzzy Hash: 313609029f3d1cdf2aa9fd6d1673e9ada2c6c49a59dee9cff63594a3de8591f2
Instruction Fuzzy Hash: 11F0A770900344AFE752DB64DC857D97BBCB705708F0000E5A548A6581D77047C8CF41

Function 00112DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00112DC4

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d293ef468bcdae7f62d0a7d26c9c80960e6fef2360ca3a3e429aa36173645bca
Instruction ID: c05a51cdea394877f294e4a451f9bf4a106f98ab7d16a4eb79e17ddfeef9cb3d
Opcode Fuzzy Hash: d293ef468bcdae7f62d0a7d26c9c80960e6fef2360ca3a3e429aa36173645bca
Instruction Fuzzy Hash: 61E0CD726041245BC71192589C05FEA77DDDFC8790F050072FD09D7248DA60ADC48590

Function 00112B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00113837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00113908

Part of subcall function 0011D730: GetInputState.USER32 ref: 0011D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00112B6B

Part of subcall function 001130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0011314E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 88e22f8c11709b2d140194101ff2c68b4991bcf308278cf49922f72aef41f50f
Instruction ID: 6a55a68b2c481f762f31560d8610aba0251fd2a3b03327786d43e542672d0f49
Opcode Fuzzy Hash: 88e22f8c11709b2d140194101ff2c68b4991bcf308278cf49922f72aef41f50f
Instruction Fuzzy Hash: 1DE0863130424817CA0CBB75A8525EDB7999BF5355F40153EF152472A2CF7489C54352

Function 0015039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00150704,?,?,00000000,?,00150704,00000000,0000000C), ref: 001503B7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 14eda14a6c6617d2d9ab3575a7f79c759f57c02991f5691edb20d1254360c044
Instruction ID: d831e0fcdced6aed2031b2f963cf1f805684a1f77187012afdf792bcca9d27c2
Opcode Fuzzy Hash: 14eda14a6c6617d2d9ab3575a7f79c759f57c02991f5691edb20d1254360c044
Instruction Fuzzy Hash: 33D06C3214010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C736E861AB90

Function 00111CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00111CBC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a1b95f598c7364278b8141a6b9a13bbd071e996375794fc85470ab62a862a464
Instruction ID: 03aa2a13158bc1686de1aeabdebaf1171c37ac8c75c27242887978a5008e4e95
Opcode Fuzzy Hash: a1b95f598c7364278b8141a6b9a13bbd071e996375794fc85470ab62a862a464
Instruction Fuzzy Hash: AEC09B35380345AFF21447C0BD9AF547754B749B10F444001F6095DDE3C7B11890D690

Non-executed Functions

Function 001A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A96C9
SendMessageW.USER32 ref: 001A96F2
GetKeyState.USER32(00000011), ref: 001A978B
GetKeyState.USER32(00000009), ref: 001A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001A97AE
GetKeyState.USER32(00000010), ref: 001A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A97E9
SendMessageW.USER32 ref: 001A9810
SendMessageW.USER32(?,00001030,?,001A7E95), ref: 001A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001A9941
SetCapture.USER32(?), ref: 001A994A
ClientToScreen.USER32(?,?), ref: 001A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001A99D6
ReleaseCapture.USER32 ref: 001A99E1
GetCursorPos.USER32(?), ref: 001A9A19
ScreenToClient.USER32(?,?), ref: 001A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001A9A80
SendMessageW.USER32 ref: 001A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001A9AEB
SendMessageW.USER32 ref: 001A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001A9B4A
GetCursorPos.USER32(?), ref: 001A9B68
ScreenToClient.USER32(?,?), ref: 001A9B75
GetParent.USER32(?), ref: 001A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001A9BFA
SendMessageW.USER32 ref: 001A9C2B
ClientToScreen.USER32(?,?), ref: 001A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001A9CDE
SendMessageW.USER32 ref: 001A9D01
ClientToScreen.USER32(?,?), ref: 001A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001A9D82

Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952

GetWindowLongW.USER32(?,000000F0), ref: 001A9E05

Strings

@GUI_DRAGID, xrefs: 001A997D
F, xrefs: 001A9D07

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 133a92ab2ab76035b85650e1f2d061b740a8102edb4102caac44719461bdec6c
Instruction ID: a90b7793011989b9c78dac118a9c5ab5958644f5b6262bfb5c75a2e7e0ca6e71
Opcode Fuzzy Hash: 133a92ab2ab76035b85650e1f2d061b740a8102edb4102caac44719461bdec6c
Instruction Fuzzy Hash: E242AE78604341AFDB25CF64CC84EAABBE5FF4A314F140619F699876A1D731E890CF91

Function 001A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001A4A7E
IsMenu.USER32(?), ref: 001A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A4B20
GetWindowLongW.USER32(?,000000F0), ref: 001A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001A4C82
wsprintfW.USER32 ref: 001A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001A4D5A

Strings

%d/%02d/%02d, xrefs: 001A4CA8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: edc0fd28a09001f501f05ceed603e63f91f2681b3748ebda8260e133f500a8e3
Instruction ID: f0f60805823df307498c11c7764d861864a017b8eabd9da6d31abffe3fe3bd31
Opcode Fuzzy Hash: edc0fd28a09001f501f05ceed603e63f91f2681b3748ebda8260e133f500a8e3
Instruction Fuzzy Hash: 3C12D175600214AFEB258F68DC49FEE7BF8AF86710F104129F51AEB2D1DBB49941CB90

Function 0012F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0012F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0016F474
IsIconic.USER32(00000000), ref: 0016F47D
ShowWindow.USER32(00000000,00000009), ref: 0016F48A
SetForegroundWindow.USER32(00000000), ref: 0016F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0016F4AA
GetCurrentThreadId.KERNEL32 ref: 0016F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0016F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0016F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0016F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0016F4DE
SetForegroundWindow.USER32(00000000), ref: 0016F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F4F6
keybd_event.USER32(00000012,00000000), ref: 0016F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F50B
keybd_event.USER32(00000012,00000000), ref: 0016F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F519
keybd_event.USER32(00000012,00000000), ref: 0016F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F528
keybd_event.USER32(00000012,00000000), ref: 0016F52D
SetForegroundWindow.USER32(00000000), ref: 0016F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0016F557

Strings

Shell_TrayWnd, xrefs: 0016F46F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 48ef190a2d6d736da7d71690f2d9765e8e9cdbcd82e40f62b12a5933a6f04778
Instruction ID: 21bc4848eb14780be26d53a2e90012c6148f41418934fb0f506b7344c52e84b5
Opcode Fuzzy Hash: 48ef190a2d6d736da7d71690f2d9765e8e9cdbcd82e40f62b12a5933a6f04778
Instruction Fuzzy Hash: C2318271B40218BFEB206BB55C4AFBF7E6CEB45B50F10002AFA05E61D1CBB05D51AEA0

Function 00171201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
Part of subcall function 001716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
Part of subcall function 001716C3: GetLastError.KERNEL32 ref: 0017174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00171286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001712A8
CloseHandle.KERNEL32(?), ref: 001712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001712D1
GetProcessWindowStation.USER32 ref: 001712EA
SetProcessWindowStation.USER32(00000000), ref: 001712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00171310

Part of subcall function 001710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001711FC), ref: 001710D4
Part of subcall function 001710BF: CloseHandle.KERNEL32(?,?,001711FC), ref: 001710E9

Strings

default, xrefs: 0017130B
winsta0, xrefs: 001712CC
, xrefs: 0017125A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cd3d1a47960bc1667a9f9d814d86d9833e816fa583db4974141132e2ab595bac
Instruction ID: 20a32dfcbb22768e7f034e5d47aedfd2ebc40cdafadbac4462ee6385e9d0ab90
Opcode Fuzzy Hash: cd3d1a47960bc1667a9f9d814d86d9833e816fa583db4974141132e2ab595bac
Instruction Fuzzy Hash: EF819D71900209BFDF219FA8DC49FEE7BB9FF09704F148129F919A62A0D7719984CB61

Function 00170B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
Part of subcall function 001710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
Part of subcall function 001710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
Part of subcall function 001710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00170BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00170C00
GetLengthSid.ADVAPI32(?), ref: 00170C17
GetAce.ADVAPI32(?,00000000,?), ref: 00170C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00170C6D
GetLengthSid.ADVAPI32(?), ref: 00170C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00170C8C
HeapAlloc.KERNEL32(00000000), ref: 00170C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00170CB4
CopySid.ADVAPI32(00000000), ref: 00170CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00170CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00170D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00170D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D45
HeapFree.KERNEL32(00000000), ref: 00170D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D55
HeapFree.KERNEL32(00000000), ref: 00170D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D65
HeapFree.KERNEL32(00000000), ref: 00170D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00170D78
HeapFree.KERNEL32(00000000), ref: 00170D7F

Part of subcall function 00171193: GetProcessHeap.KERNEL32(00000008,00170BB1,?,00000000,?,00170BB1,?), ref: 001711A1
Part of subcall function 00171193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00170BB1,?), ref: 001711A8
Part of subcall function 00171193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00170BB1,?), ref: 001711B7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cdde17eda09e0baf1e9322ff304336f9b843bd329447da01f8cb586f731b259c
Instruction ID: 6d98ad746a487877f5e7cad33ba4de69dd68df015b833fd9283044c1718b287a
Opcode Fuzzy Hash: cdde17eda09e0baf1e9322ff304336f9b843bd329447da01f8cb586f731b259c
Instruction Fuzzy Hash: D2717D75A0030AEBDF11DFE4DC44FAEBBB8BF09310F148515F918A6291D771AA45CBA0

Function 0018EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001ACC08), ref: 0018EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0018EB37
GetClipboardData.USER32(0000000D), ref: 0018EB43
CloseClipboard.USER32 ref: 0018EB4F
GlobalLock.KERNEL32(00000000), ref: 0018EB87
CloseClipboard.USER32 ref: 0018EB91
GlobalUnlock.KERNEL32(00000000), ref: 0018EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0018EBC9
GetClipboardData.USER32(00000001), ref: 0018EBD1
GlobalLock.KERNEL32(00000000), ref: 0018EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0018EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0018EC38
GetClipboardData.USER32(0000000F), ref: 0018EC44
GlobalLock.KERNEL32(00000000), ref: 0018EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0018EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0018EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0018ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0018ECF3
CountClipboardFormats.USER32 ref: 0018ED14
CloseClipboard.USER32 ref: 0018ED59

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 58b575d8e75e97c6503e91a6f467e52b167be090f72076c72df81e2b8744b3f5
Instruction ID: 1e07a06347a448176c2453f4e0715005be908a177749e756bea82d96316b09b6
Opcode Fuzzy Hash: 58b575d8e75e97c6503e91a6f467e52b167be090f72076c72df81e2b8744b3f5
Instruction Fuzzy Hash: 8861E2742043019FD304EF64D894F6ABBE4AF95714F04451DF456972A2DB31EE89CFA2

Function 0018698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001869BE
FindClose.KERNEL32(00000000), ref: 00186A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00186A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00186A75

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00186AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00186ADF

Strings

%03d, xrefs: 00186DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00186B32
%02d, xrefs: 00186C00, 00186C0A, 00186C5A, 00186CAA, 00186CFA, 00186D4A
%4d, xrefs: 00186BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00186B6A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 674e4d6479db7568c7db4e048b22297fedbf6a25014df2c637d455938bed1290
Instruction ID: 860757b2c9438159f80cc2be90d92d6d0a2108860df58ade0bfcf079eede4843
Opcode Fuzzy Hash: 674e4d6479db7568c7db4e048b22297fedbf6a25014df2c637d455938bed1290
Instruction Fuzzy Hash: 14D15072508300AFC314EBA4D891EABB7FCAF98704F04492DF595D7291EB74DA45CBA2

Function 00189642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00189663
GetFileAttributesW.KERNEL32(?), ref: 001896A1
SetFileAttributesW.KERNEL32(?,?), ref: 001896BB
FindNextFileW.KERNEL32(00000000,?), ref: 001896D3
FindClose.KERNEL32(00000000), ref: 001896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0018974A
SetCurrentDirectoryW.KERNEL32(001D6B7C), ref: 00189768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00189772
FindClose.KERNEL32(00000000), ref: 0018977F
FindClose.KERNEL32(00000000), ref: 0018978F

Strings

*.*, xrefs: 001896F5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d7de3fb32d8600918ca75445c70637e104f9c888270ede788a44752b21acb726
Instruction ID: a4637fc1c21c7eca59beba0b2a60a4c9595e5db1f02c179cf444383f2b2e6c8c
Opcode Fuzzy Hash: d7de3fb32d8600918ca75445c70637e104f9c888270ede788a44752b21acb726
Instruction Fuzzy Hash: C131A4326412197EDF14EFB4DC49AEE77ACAF4A320F184156F815E2191EB34DE848F94

Function 0018979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00189819
FindClose.KERNEL32(00000000), ref: 00189824
FindFirstFileW.KERNEL32(*.*,?), ref: 00189840
SetCurrentDirectoryW.KERNEL32(?), ref: 00189890
SetCurrentDirectoryW.KERNEL32(001D6B7C), ref: 001898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001898B8
FindClose.KERNEL32(00000000), ref: 001898C5
FindClose.KERNEL32(00000000), ref: 001898D5

Part of subcall function 0017DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0017DB00

Strings

*.*, xrefs: 0018983B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d581cacaed04675afe57595a18f61817a4d3b16e38453ad5fe4d387c589d2a7c
Instruction ID: 064708573c1c93dfb7c35a34a4556df1af8edc297421abb2a07367a56f77f145
Opcode Fuzzy Hash: d581cacaed04675afe57595a18f61817a4d3b16e38453ad5fe4d387c589d2a7c
Instruction Fuzzy Hash: 7931A13160061E6EDF10AFB4EC48AEE77ADAF07324F184166E854A2191DB30DE848FA0

Function 0019BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0019BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0019BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0019C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0019C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0019C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0019C382
RegCloseKey.ADVAPI32(00000000), ref: 0019C38F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c782f8a5f8558870af6627a3bee08121e158932d51725b65f610cd7c3c4fd868
Instruction ID: 3b3cc0d60b28e07e3c3e417f16c2e7ee64d638360f946462b839d783c427b676
Opcode Fuzzy Hash: c782f8a5f8558870af6627a3bee08121e158932d51725b65f610cd7c3c4fd868
Instruction Fuzzy Hash: 3C025E716042009FDB14DF28C895E2ABBE5FF49314F1984ADF48ACB2A2D731ED45CB91

Function 00188195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00188257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00188267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00188273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00188310
SetCurrentDirectoryW.KERNEL32(?), ref: 00188324
SetCurrentDirectoryW.KERNEL32(?), ref: 00188356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0018838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00188395

Strings

*.*, xrefs: 0018839B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 33d06938c3bf24ba871320b6ab4287cd03d4bbaba1aefdf7ba629b34b076dc69
Instruction ID: 5815347096710b43d4e257a04f5b73b7830225ef7e513109cdc7bb94239495f2
Opcode Fuzzy Hash: 33d06938c3bf24ba871320b6ab4287cd03d4bbaba1aefdf7ba629b34b076dc69
Instruction Fuzzy Hash: 0E617D715043059FCB14EF64D8809AEB3E9FF99310F44892EF99987251EB31EA45CF92

Function 0017D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2

Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A

FindFirstFileW.KERNEL32(?,?), ref: 0017D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0017D1DD
MoveFileW.KERNEL32(?,?), ref: 0017D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0017D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0017D237

Part of subcall function 0017D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0017D21C,?,?), ref: 0017D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0017D253
FindClose.KERNEL32(00000000), ref: 0017D264

Strings

\*.*, xrefs: 0017D0CD, 0017D0D6, 0017D0EB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1c543746a1130968794cd3406c157618de54c17133fb5dd3e40bed746a68cc05
Instruction ID: 249d4ed3855ed6294a9e54d1a8356b485800cebcc633c6c48e929514d675598a
Opcode Fuzzy Hash: 1c543746a1130968794cd3406c157618de54c17133fb5dd3e40bed746a68cc05
Instruction Fuzzy Hash: 82618031C0110D9FCF09EBE0E9929EDB7B5AF25300F648165E41A77192EB316F8ADB60

Function 0018ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0018ED91
EmptyClipboard.USER32 ref: 0018ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0018EDAC
CloseClipboard.USER32 ref: 0018EEA3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 24153c2e69e52cd6ee68103a9b4b90cf289cf7f002ff2d60a81be3e61374a94c
Instruction ID: 0ba3ca4efa7bd7a3ee26e6a0eceae3fc7df23a97e82624014efb25f086e319ba
Opcode Fuzzy Hash: 24153c2e69e52cd6ee68103a9b4b90cf289cf7f002ff2d60a81be3e61374a94c
Instruction Fuzzy Hash: F6419A75204611AFE324EF55D888B59BBE1EF45328F14C099E4198BBA2C735ED82CFD0

Function 0017E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
Part of subcall function 001716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
Part of subcall function 001716C3: GetLastError.KERNEL32 ref: 0017174A

ExitWindowsEx.USER32(?,00000000), ref: 0017E932

Strings

@, xrefs: 0017E925
SeShutdownPrivilege, xrefs: 0017E902
, xrefs: 0017E920
, xrefs: 0017E95C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 11ef1f9b1ba556b5b10173260f20584e08cbc32cf3e21131a4d51c0c5f8d6d9f
Instruction ID: 13fefa59b1bec97063175a90715ec019feb0704ccbfbde8efaf926a7b3d360d8
Opcode Fuzzy Hash: 11ef1f9b1ba556b5b10173260f20584e08cbc32cf3e21131a4d51c0c5f8d6d9f
Instruction Fuzzy Hash: 0B01FE73610211BFEB5826789C85FBF72FC9718758F158462FE07E21D1D7A05C4086D0

Function 00191204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00191276
WSAGetLastError.WSOCK32 ref: 00191283
bind.WSOCK32(00000000,?,00000010), ref: 001912BA
WSAGetLastError.WSOCK32 ref: 001912C5
closesocket.WSOCK32(00000000), ref: 001912F4
listen.WSOCK32(00000000,00000005), ref: 00191303
WSAGetLastError.WSOCK32 ref: 0019130D
closesocket.WSOCK32(00000000), ref: 0019133C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9534c7840be6d7185cae541f43e6e352be85de5a9609a447a64b3316dd0262ca
Instruction ID: b2844605976bed82aaee557656fa849159e733df659a262f6bec3a7b004750fe
Opcode Fuzzy Hash: 9534c7840be6d7185cae541f43e6e352be85de5a9609a447a64b3316dd0262ca
Instruction Fuzzy Hash: B6417331600101AFDB14EF64D484B69BBE6BF46314F288198D8569F2D2C775EDC1CBE1

Function 0017D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2

Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A

FindFirstFileW.KERNEL32(?,?), ref: 0017D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0017D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0017D481
FindClose.KERNEL32(00000000), ref: 0017D498
FindClose.KERNEL32(00000000), ref: 0017D4A1

Strings

\*.*, xrefs: 0017D3F2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 79d139cf2bff019e1fb6c1e8d18d06f5afc61f81b8dea65d4552642f87d45777
Instruction ID: 7f5dab3ed47acd3ba68eb6ff6ba3b8235c67df66f06e3733a3b8bed6556596d2
Opcode Fuzzy Hash: 79d139cf2bff019e1fb6c1e8d18d06f5afc61f81b8dea65d4552642f87d45777
Instruction Fuzzy Hash: A43172710083459BC304EF64D8559EF77F8BEA1314F44892EF4E653191EB30AA49C763

Function 0014E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0014E645

Strings

1#QNAN, xrefs: 0014F84B
1#IND, xrefs: 0014F83D
1#SNAN, xrefs: 0014F844
1#INF, xrefs: 0014F852

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f16057342bca6c4a321d9427c01a307ef046ca838227fa43509691abffb416cf
Instruction ID: 14b0d34e7f034e11cff761f7e78ff6c4e3de371a53b3243b3896b16b84c6e434
Opcode Fuzzy Hash: f16057342bca6c4a321d9427c01a307ef046ca838227fa43509691abffb416cf
Instruction Fuzzy Hash: 8BC21872E046298FDB29CE28DD407EAB7B5FB48315F1541EAD84DE7250E774AE828F40

Function 0018648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001864DC
CoInitialize.OLE32(00000000), ref: 00186639
CoCreateInstance.OLE32(001AFCF8,00000000,00000001,001AFB68,?), ref: 00186650
CoUninitialize.OLE32 ref: 001868D4

Strings

.lnk, xrefs: 001864BA, 00186524, 001865E0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: e69bfdf743970960485ad2195f4bbf870e7eb5c5e8b3d33ad1fcbd63c392fce1
Instruction ID: 7af5b624201eb83a0db992ed11020af79c16529e71865df17c9a6aecf521c659
Opcode Fuzzy Hash: e69bfdf743970960485ad2195f4bbf870e7eb5c5e8b3d33ad1fcbd63c392fce1
Instruction Fuzzy Hash: 7BD14A715083019FC304EF24C891AABB7E8FFA9744F10496DF5958B291EB71EE46CB92

Function 001922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001922E8

Part of subcall function 0018E4EC: GetWindowRect.USER32(?,?), ref: 0018E504

GetDesktopWindow.USER32 ref: 00192312
GetWindowRect.USER32(00000000), ref: 00192319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00192355
GetCursorPos.USER32(?), ref: 00192381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001923DF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 267a2d327c724d11495ff4f45ccb4960f8f965c21c6180f410fd0d7442ecbec3
Instruction ID: 577f51f1174cfa3bb84db8c5874f60dcdc0220c84ef05a173273cf93bcc45856
Opcode Fuzzy Hash: 267a2d327c724d11495ff4f45ccb4960f8f965c21c6180f410fd0d7442ecbec3
Instruction Fuzzy Hash: 3031C272505315AFDB20DF54C849B9BB7E9FF89314F000919F98997191DB34EA48CBD2

Function 00189B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00189B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00189C8B

Part of subcall function 00183874: GetInputState.USER32 ref: 001838CB
Part of subcall function 00183874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00183966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00189BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00189C75

Strings

*.*, xrefs: 00189B5D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f5b8b16930cacd70239bbca15fcc6980de572325bcc45b21245f793b1785cc23
Instruction ID: d8d7a7b5bf8ef29697e4c711216ed4b4cbe23da46118abfa26d533a05b4ae43c
Opcode Fuzzy Hash: f5b8b16930cacd70239bbca15fcc6980de572325bcc45b21245f793b1785cc23
Instruction Fuzzy Hash: 6C41637190420A9FCF15EF64C945AEE7BB4FF55310F184156E815A6191EB319F84CFA0

Function 0012997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00129A4E
GetSysColor.USER32(0000000F), ref: 00129B23
SetBkColor.GDI32(?,00000000), ref: 00129B36

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7b1bd7d4832322ddb91c9aee93c4d9d3c73535949c02e5ebb555f7bb05524239
Instruction ID: e4820dc587760f44cd21935e0b1b126354799325443896489b0bae72942952ba
Opcode Fuzzy Hash: 7b1bd7d4832322ddb91c9aee93c4d9d3c73535949c02e5ebb555f7bb05524239
Instruction Fuzzy Hash: B6A10870208564BFE728AA3CAC98E7F369DEF43358F164109F502DB9D1CB259DA1D271

Function 00191806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0019304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
Part of subcall function 0019304E: _wcslen.LIBCMT ref: 0019309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0019185D
WSAGetLastError.WSOCK32 ref: 00191884
bind.WSOCK32(00000000,?,00000010), ref: 001918DB
WSAGetLastError.WSOCK32 ref: 001918E6
closesocket.WSOCK32(00000000), ref: 00191915

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d98480166a8edc032efe8b8777df0219acc917794883b59bc620ed47954ff0a6
Instruction ID: 7a47543a7b0faae74f52e94f54ddc0881d76ac9c26bfef39048e55c2439dd45d
Opcode Fuzzy Hash: d98480166a8edc032efe8b8777df0219acc917794883b59bc620ed47954ff0a6
Instruction Fuzzy Hash: B451B371A00210AFDB14AF24D88AF6A77E5AB59718F08809CF9155F3D3D771AD818BE1

Function 001A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001A1CC0
IsWindowEnabled.USER32 ref: 001A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001A1CDB
IsIconic.USER32 ref: 001A1CE9
IsZoomed.USER32 ref: 001A1CF7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8aa79f69a81fe85907cca5e37102bb2189188faeb927454bad61041aa2e5bd1a
Instruction ID: 0aa802aed6a098ebadf2a670891198ee41536e5b2c67ec1eaef7c24642e07bcf
Opcode Fuzzy Hash: 8aa79f69a81fe85907cca5e37102bb2189188faeb927454bad61041aa2e5bd1a
Instruction Fuzzy Hash: 4821B5397402116FD7248F2AC844B6A7BE5EF96324F198068E84ACB355C771DC42CBD4

Function 00118060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001183E8
VUUU, xrefs: 0011843C
ERCP, xrefs: 0011813C
VUUU, xrefs: 00155DF0
VUUU, xrefs: 001183FA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2745eb558ff08ee1f0d27048bf5567d1b6a9894335e44e879bfdc08418d421aa
Instruction ID: 31f655dc8cbdef1ef728ab8efa3fc728ca310b1a050743ff8a8296412f439ebb
Opcode Fuzzy Hash: 2745eb558ff08ee1f0d27048bf5567d1b6a9894335e44e879bfdc08418d421aa
Instruction Fuzzy Hash: 6BA27071E0061ACBDF28CF58C8507EDB7B2BB54311F6581AAEC25AB285DB709DC5CB90

Function 0017AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0017AAAC
SetKeyboardState.USER32(00000080), ref: 0017AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0017AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0017AB88

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 74d8adef42c4a0e9f26bb0627ff92f3f5683764750996367118894cd7206eb91
Instruction ID: 20b9bf407199decbb84b917f1cd4a9a994b250fba041c40ccd1ebe8cc4b0ee19
Opcode Fuzzy Hash: 74d8adef42c4a0e9f26bb0627ff92f3f5683764750996367118894cd7206eb91
Instruction Fuzzy Hash: F4310730A80208AEFB35CA64CC05BFE7BB6AFD5310F84C21AF589971D1D7749985C7A2

Function 0014BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0014BB7F

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

GetTimeZoneInformation.KERNEL32 ref: 0014BB91
WideCharToMultiByte.KERNEL32(00000000,?,001E121C,000000FF,?,0000003F,?,?), ref: 0014BC09
WideCharToMultiByte.KERNEL32(00000000,?,001E1270,000000FF,?,0000003F,?,?,?,001E121C,000000FF,?,0000003F,?,?), ref: 0014BC36

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: d86e3b6a6437659f4d7164cd56ae343ef410f1ae604b9c6abd4fc220c25aafe6
Instruction ID: e1963f70b6adaf81d0dd8b34d90f7ede8a05050794143dd242134845dec532d3
Opcode Fuzzy Hash: d86e3b6a6437659f4d7164cd56ae343ef410f1ae604b9c6abd4fc220c25aafe6
Instruction Fuzzy Hash: A431AF70908246EFCB15DFA9DCC082DBBB8FF56310B2446AAE151DB2B1D7309D81CB90

Function 0018CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0018CE89
GetLastError.KERNEL32(?,00000000), ref: 0018CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0018CEFE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 13917eda2b6909063aa29b4aa2d4303acc8a393bf4f27d499e4b6d6f2f81f9c4
Instruction ID: 3906d81540475d593dd772da9502195e217adb63ae0b8f46a752598498f293c6
Opcode Fuzzy Hash: 13917eda2b6909063aa29b4aa2d4303acc8a393bf4f27d499e4b6d6f2f81f9c4
Instruction Fuzzy Hash: BF21ACB1500705ABEB30EFA5D948BA7BBFCEB51354F10841EE646D2151EB74EE448FA0

Function 00178298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001782AA

Strings

(, xrefs: 001782F0
|, xrefs: 001782DA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 25370be837985bbc6a3d67d7a9a9e251913efabc00f84b2575590a88948d5ca8
Instruction ID: 2ae36482b619af4f406ac0017265e56d9f72bd9baf68db7d0b08c9f15d176060
Opcode Fuzzy Hash: 25370be837985bbc6a3d67d7a9a9e251913efabc00f84b2575590a88948d5ca8
Instruction Fuzzy Hash: 1A323474A006059FCB28CF69C485A6AB7F0FF48710B15C56EE49ADB7A1EB70E981CB50

Function 00185C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00185CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00185D17
FindClose.KERNEL32(?), ref: 00185D5F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: becd0208b16f1c0c7e9519a52e43fd5eb1ab5c72c72b82a229407db148e1516b
Instruction ID: f2c1131116eb031140400425f5a46bdeaa7b4bc97cd3463b2c6d21630ba26588
Opcode Fuzzy Hash: becd0208b16f1c0c7e9519a52e43fd5eb1ab5c72c72b82a229407db148e1516b
Instruction Fuzzy Hash: 05519B34604A019FC718DF68C494E96B7E5FF49324F14866EE95A8B3A2CB30ED45CF91

Function 00142622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0014271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00142724
UnhandledExceptionFilter.KERNEL32(?), ref: 00142731

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8c7666383201e99389e43a7004739977ab9c2e60c9acf34007fbcbe489d06bfd
Instruction ID: 6b26d083077928949df626c3da23432466d7cc81685311ee1de1d1b014fb8aa7
Opcode Fuzzy Hash: 8c7666383201e99389e43a7004739977ab9c2e60c9acf34007fbcbe489d06bfd
Instruction Fuzzy Hash: 1131B47491122C9BCB21DF64DD897D9BBB8BF18310F5041EAE81CA7261E7709F818F45

Function 001851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00185238
SetErrorMode.KERNEL32(00000000), ref: 001852A1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f6cfd168860bd84b0ea4ccd8551ed44450fc6422baec19bc3d4e2fc1eeafd55c
Instruction ID: 41a457d014e23a40e2cebbb95a0c7311615db8cd86e953dbafdcea88f05c9568
Opcode Fuzzy Hash: f6cfd168860bd84b0ea4ccd8551ed44450fc6422baec19bc3d4e2fc1eeafd55c
Instruction Fuzzy Hash: B8313E75A00518DFDB04EF54D884EADBBF5FF49314F048099E805AB3A2DB31E956CB90

Function 001716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0012FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00130668
Part of subcall function 0012FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00130685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
GetLastError.KERNEL32 ref: 0017174A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3cfe2b9b2ebbdc300bb1df2b9e27d5a34af5ea24de6a68a648641fe050d65e39
Instruction ID: 001a8c951f82156b28a6ed669b348b5afdc60e80349c44a42e5cf38949c64ac4
Opcode Fuzzy Hash: 3cfe2b9b2ebbdc300bb1df2b9e27d5a34af5ea24de6a68a648641fe050d65e39
Instruction Fuzzy Hash: 651191B2404308BFD7189F54EC86D6BB7BDEB44714B20C52EF05657641EB70BC418B60

Function 0017D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0017D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0017D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0017D650

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f4ec0324401952789e4a3205e2a67a3bc604f58cf0ed20559ba02f68a73b3014
Instruction ID: 4a1234450204ac45a7741f50a7587681fcbf3b44afdb4bee4a5d193836cb00ab
Opcode Fuzzy Hash: f4ec0324401952789e4a3205e2a67a3bc604f58cf0ed20559ba02f68a73b3014
Instruction Fuzzy Hash: DC115E75E05228BFDB108F95EC45FAFBBBCEB45B50F108116F908E7290D6704A058BE1

Function 00171663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0017168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001716A1
FreeSid.ADVAPI32(?), ref: 001716B1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7e6a3f3cc887e86e14186eccfc4621cc82fb4c8036c4fcc696e0e6f1dcddace8
Instruction ID: 7345038efa6e8a8688878d636477c467c3f917405cbb0198edcd5b869ec8d202
Opcode Fuzzy Hash: 7e6a3f3cc887e86e14186eccfc4621cc82fb4c8036c4fcc696e0e6f1dcddace8
Instruction Fuzzy Hash: 53F0F47595030DFBDB00DFE49D89AAEBBBCFB08604F508565F501E2181E774AA448A90

Function 0016D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0016D28C

Strings

X64, xrefs: 0016D2A8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8ce4418fb315596fb3bca7972b6962ff33a1ddd81deda28cd8ecabae98d85369
Instruction ID: fa3cdfa9b621cc05297c3f7445d75482899c43f44ef9e6999cce9555651e4ba2
Opcode Fuzzy Hash: 8ce4418fb315596fb3bca7972b6962ff33a1ddd81deda28cd8ecabae98d85369
Instruction Fuzzy Hash: E8D0CAB880116DEACB98CBA0EC88DDAB3BCBB04305F100296F506A2000DB3096888F20

Function 0013CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 38b2547f1af15684dddf6fd3f0e7a636d4ce1ee3e2f3566e82b8bbbf7082897d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 47021D72E002199BDF14CFA9C8906ADFBF5EF58314F258169D819FB384D731AA418BD4

Function 001868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00186918
FindClose.KERNEL32(00000000), ref: 00186961

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c519130fafd2812d1e8f6366756d28056aaf469c772a550b239032d29ca30f94
Instruction ID: ca040a610f5db201b7601ecdb285b896a8b875457179a34f7691238746e78c46
Opcode Fuzzy Hash: c519130fafd2812d1e8f6366756d28056aaf469c772a550b239032d29ca30f94
Instruction Fuzzy Hash: 03118E316042019FC714DF29D488A16BBE5EF85328F14C6A9E4698F7A2CB30ED45CBD1

Function 001837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00194891,?,?,00000035,?), ref: 001837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00194891,?,?,00000035,?), ref: 001837F4

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4b3cdf90a0c776de3e23f2fec815de1db5a2078d304327bee7e9d547b79392a5
Instruction ID: 0a1b44cdc347ca9a5384695a555b915eee97b53ad589edf4679c16010f42cad1
Opcode Fuzzy Hash: 4b3cdf90a0c776de3e23f2fec815de1db5a2078d304327bee7e9d547b79392a5
Instruction Fuzzy Hash: 71F0E5B06042287AEB2027668C4DFEB3AAEEFC5B61F000175F519D2281DA609A44CBF0

Function 0017B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0017B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0017B270

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a9b35c878199edc7599c7c9e3444b8ad099d07ab4f48fc98544f4283f8251af8
Instruction ID: 6c2d5cf1c49d32f687f32ea1df111b652ff3db79c703c020608ca0293aeab9de
Opcode Fuzzy Hash: a9b35c878199edc7599c7c9e3444b8ad099d07ab4f48fc98544f4283f8251af8
Instruction Fuzzy Hash: 60F0177190428EABDB059FA0C806BBE7BB4FF09309F00800AF965A61A2C37996519F94

Function 001710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001711FC), ref: 001710D4
CloseHandle.KERNEL32(?,?,001711FC), ref: 001710E9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 34ff84403b711c6714bdbe333fbe49fa6115baffb6e3ad0ac26e26fdf0ccd04c
Instruction ID: 0086281afff62abdd3c3beec7d83431302b4de3a426bb68f8a60ae0a6c3b310c
Opcode Fuzzy Hash: 34ff84403b711c6714bdbe333fbe49fa6115baffb6e3ad0ac26e26fdf0ccd04c
Instruction Fuzzy Hash: 1DE04F32004610BEE7252B51FC05F7377B9EF04310F10882DF4A6804B1DB626CE0DB50

Function 0011CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00160C40

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9272df2878f2cd569eb463967e4c65bc98d763f8f41c16db026283b94b60b28c
Instruction ID: 20bf6184b9790bb8d1c272313ac53b1f4ca38dc23d80f74f1d17a71cc6a005b0
Opcode Fuzzy Hash: 9272df2878f2cd569eb463967e4c65bc98d763f8f41c16db026283b94b60b28c
Instruction Fuzzy Hash: 6A32C230940219DFCF18DF94D881BEEB7B5FF19304F148069E806AB292D775AE86CB91

Function 0014676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00146766,?,?,00000008,?,?,0014FEFE,00000000), ref: 00146998

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8a2bbb79f57aa8c1c0c97277f1090ff51414096cd3f29345211601539bb42cbb
Instruction ID: dae69a18ec6ad19150d4e3153244900f290986fca6fe414c9badfd606f7a77e6
Opcode Fuzzy Hash: 8a2bbb79f57aa8c1c0c97277f1090ff51414096cd3f29345211601539bb42cbb
Instruction Fuzzy Hash: 50B15B71610609DFD719CF28C48ABA57BE0FF46368F258658E899CF2B2C335E991CB41

Function 0012B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0016851F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3a5c31c615a260daf24264ea05d06c4720845677163c7a3d609235440c4917a3
Instruction ID: 61353ad46d9b7ac2154f37854e0ecaf2df539c7da1a6d71fea68ff533e5f5c8b
Opcode Fuzzy Hash: 3a5c31c615a260daf24264ea05d06c4720845677163c7a3d609235440c4917a3
Instruction Fuzzy Hash: 68127E71D042299FCB24DF58D8806EEB7F5FF48310F1581AAE849EB255EB309E91CB90

Function 0018EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0018EABD

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b348930500b1791c7d3b3e00858c0b15479502224278aa7701932c4923048980
Instruction ID: 50084c71bda2b10f480d8556c76b2cef3b945a81e84a7f50e560a86801aeb2e2
Opcode Fuzzy Hash: b348930500b1791c7d3b3e00858c0b15479502224278aa7701932c4923048980
Instruction Fuzzy Hash: E3E04F312002049FC714EF59D844E9AF7E9AFA8760F008426FC49C7351DB70E9818F90

Function 001309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001303EE), ref: 001309DA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 262c88bbe4ba5d634470bc18f33c244efa168705cc96ee830844eff09fab1f96
Instruction ID: 835ec74894ef9e680c7c439bf9c32606205dd093cb24849b3f41c9aff16d5ade
Opcode Fuzzy Hash: 262c88bbe4ba5d634470bc18f33c244efa168705cc96ee830844eff09fab1f96
Instruction Fuzzy Hash:

Function 0013781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0013798B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: cd62ef53f01191050a66d5392e28cfabff8a5fb902ed34a28a8e3d36a6f1f571
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 1A51ABF160C745ABDF3C8638885EBBE67C99B12364F180A89E986D73C2C715DE01D352

Function 00146DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48944a2cc04bbb3ef9ea1e50698e2b4a37e4a17da2c2872a88a58e3826439875
Instruction ID: 42436326c13971da25516b7517213d97acee36ff54d089590f129d100315facd
Opcode Fuzzy Hash: 48944a2cc04bbb3ef9ea1e50698e2b4a37e4a17da2c2872a88a58e3826439875
Instruction Fuzzy Hash: 7A32F222D29F414DDB239635D822336A689AFB73C5F15D737E81AB9DB9EB29C4C34100

Function 0012CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32264f2c1469ba308d6e4a8a9d7f58447cba79764fda505affd300bbf0a364a3
Instruction ID: bd0f628affed37258399152b361e4d48f098f594a06454c7b599859989835d00
Opcode Fuzzy Hash: 32264f2c1469ba308d6e4a8a9d7f58447cba79764fda505affd300bbf0a364a3
Instruction Fuzzy Hash: 9D32F331A001658BCF28CE69DC9467D7BA1EB45310F29816AD9DACB791E3309EB1DBC1

Function 00117920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca39b033344d6117e16ca1022350d409218ebca1d27b8a2ceab35f90dbe4043
Instruction ID: d7380b2bdc47f07401d7ecbd9e4afc86671a40d36180b88204506283d0efa31f
Opcode Fuzzy Hash: cca39b033344d6117e16ca1022350d409218ebca1d27b8a2ceab35f90dbe4043
Instruction Fuzzy Hash: 5622CF70A04609DFDF18CF64D891AEEB7B6FF54300F244139E826AB291EB369995CB50

Function 001191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c8c16ac9d15f23bd8108432b0fefb05bf50b28ee1705e81d44c716e0af4fab
Instruction ID: 2192e781dd80856a6aaa3dd4e4f222c36a068d2c87c78c67584645b425a63173
Opcode Fuzzy Hash: 69c8c16ac9d15f23bd8108432b0fefb05bf50b28ee1705e81d44c716e0af4fab
Instruction Fuzzy Hash: 1A02D6B1E00109EBDB08DF64D881AAEB7F5FF54300F118169E826DB290E731EA65CB81

Function 00149EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31189c15656eb97a4ce66c7aee1cb58e50bc53627d2b4dc4030749a1437073b
Instruction ID: 17aad8ba321bb4f09e5e28028adc345b7d8fd4b5670d6fbdb83a89ea49dfcf8e
Opcode Fuzzy Hash: b31189c15656eb97a4ce66c7aee1cb58e50bc53627d2b4dc4030749a1437073b
Instruction Fuzzy Hash: C1B1CF20D2AF514DD22396398871337B69CBFBB6D5B92D71BFC2674D22EB2286D34140

Function 00131C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8ec379226ed68a9a030981542ef2ca26782653288705d0fa4a2291b27643e8ae
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 8B9179731080A35ADB6E467E857407EFFE15A523A1B1A07ADD4F2CB1C5FF24C958D620

Function 00131F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3f0e2e4ff359c7ccc2485280bc0236325e315365a1f17a06f28fdf78f1d14185
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: AF9168732090A349EB6D523D857443EFFE15A923A1B1A079DE4F2CB1C5EF34D558E620

Function 001319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ad4c6fbe47a647d40a24083b348e629dbf2b748998564f42b2ae5f0db49e91dc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 929132722090E35AEB2D467A857407EFFF15A923A2B1A079ED4F2CB1C5FF24C564D620

Function 00137A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9ffad6fbb1f86acd6259858823b3f31103be59ac5eeac086e21f49ed1f6c60
Instruction ID: be77b74e309b59bff494ad487ab80b0583cdb1ea314df49938c15096c627c3c1
Opcode Fuzzy Hash: 9f9ffad6fbb1f86acd6259858823b3f31103be59ac5eeac086e21f49ed1f6c60
Instruction Fuzzy Hash: 196149F120874AA6EE38AA2C8C95BBEB3A4DF51700F18091EF843DB2C5D7119E42C355

Function 00137CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e9acf84ae9da34ee7d6fda3cca345798553b9263508221b167974d8b5d0388
Instruction ID: e3dc4867e335a39b55ac8f1ca56a48b933b21b63f5a6c54ecab07c53bed79293
Opcode Fuzzy Hash: e7e9acf84ae9da34ee7d6fda3cca345798553b9263508221b167974d8b5d0388
Instruction Fuzzy Hash: 7E619CF120C70967DE399AA89892BBF6398EF52744F100969F843DB2C1DB12DD46C355

Function 00131706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 14e153a681ac34229b34bd112ea081dc8033eb471eab1550558aa6b98e61da67
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7B8184336080A359EB6D863A853453EFFE15A923A5B1E079DD4F2CB1C1EF24C558E720

Function 00182046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34b1299d6df939d7bb121f5ecd6e248002fb0561430d3efd0ca4b4c80536686
Instruction ID: 8b8d87fc80ca870a37a014539e836362be38b8bc2324024d7a7555805c30dc1b
Opcode Fuzzy Hash: d34b1299d6df939d7bb121f5ecd6e248002fb0561430d3efd0ca4b4c80536686
Instruction Fuzzy Hash: F421BB326206518BDB28CF79C86367E73E9A754310F15862EF4A7C77D0DE75A944CB80

Function 00192ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00192B30
DeleteObject.GDI32(00000000), ref: 00192B43
DestroyWindow.USER32 ref: 00192B52
GetDesktopWindow.USER32 ref: 00192B6D
GetWindowRect.USER32(00000000), ref: 00192B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00192CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00192CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192CF8
GetClientRect.USER32(00000000,?), ref: 00192D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00192D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D80
GlobalLock.KERNEL32(00000000), ref: 00192D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D98
GlobalUnlock.KERNEL32(00000000), ref: 00192DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192DA8
GlobalFree.KERNEL32(00000000), ref: 00192DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001AFC38,00000000), ref: 00192DDB
GlobalFree.KERNEL32(00000000), ref: 00192DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00192E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00192E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0019303F

Strings

static, xrefs: 00192D3A, 00192E91
DISPLAY, xrefs: 00192EA2
AutoIt v3, xrefs: 00192CF2
, xrefs: 00192FC5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a3ac0ffe90b41f1fc4b545b1854b2d9a9ff9534638311c77c29a98676cc99234
Instruction ID: f3d1194894cd8df4730f5808d59575642fc0b00591516015eafe784f174be92f
Opcode Fuzzy Hash: a3ac0ffe90b41f1fc4b545b1854b2d9a9ff9534638311c77c29a98676cc99234
Instruction Fuzzy Hash: 9C026B71A00205EFDB14DFA4DC89EAE7BB9FF49710F048158F915AB2A1DB74AD41CBA0

Function 001A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001A712F
GetSysColorBrush.USER32(0000000F), ref: 001A7160
GetSysColor.USER32(0000000F), ref: 001A716C
SetBkColor.GDI32(?,000000FF), ref: 001A7186
SelectObject.GDI32(?,?), ref: 001A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001A71C0
GetSysColor.USER32(00000010), ref: 001A71C8
CreateSolidBrush.GDI32(00000000), ref: 001A71CF
FrameRect.USER32(?,?,00000000), ref: 001A71DE
DeleteObject.GDI32(00000000), ref: 001A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001A7230
FillRect.USER32(?,?,?), ref: 001A7262
GetWindowLongW.USER32(?,000000F0), ref: 001A7284

Part of subcall function 001A73E8: GetSysColor.USER32(00000012), ref: 001A7421
Part of subcall function 001A73E8: SetTextColor.GDI32(?,?), ref: 001A7425
Part of subcall function 001A73E8: GetSysColorBrush.USER32(0000000F), ref: 001A743B
Part of subcall function 001A73E8: GetSysColor.USER32(0000000F), ref: 001A7446
Part of subcall function 001A73E8: GetSysColor.USER32(00000011), ref: 001A7463
Part of subcall function 001A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001A7471
Part of subcall function 001A73E8: SelectObject.GDI32(?,00000000), ref: 001A7482
Part of subcall function 001A73E8: SetBkColor.GDI32(?,00000000), ref: 001A748B
Part of subcall function 001A73E8: SelectObject.GDI32(?,?), ref: 001A7498
Part of subcall function 001A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001A74B7
Part of subcall function 001A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001A74CE
Part of subcall function 001A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001A74DB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b2d9cdfa6a950207fdb08366d3daa360278a3ec0509dec02be3b82852459149a
Instruction ID: 4398c18a174e61ae42e79a2f34b0a4233c9258aa25fdb54113133871d5b0f59d
Opcode Fuzzy Hash: b2d9cdfa6a950207fdb08366d3daa360278a3ec0509dec02be3b82852459149a
Instruction Fuzzy Hash: C8A19076508301EFDB119F60DC48E6BBBE9FF8A321F100A19F962961E1D771E984CB91

Function 00128D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00128E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00166AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00166AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00166F43

Part of subcall function 00128F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00128BE8,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 00128FC5

SendMessageW.USER32(?,00001053), ref: 00166F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00166F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00166FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00166FB7

Strings

0, xrefs: 00166DCF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 131c0346bc8a3cb66eeaafbb9f926b6fe59c6be327ca9a41844475f464ae5324
Instruction ID: 731782086983773c959df2c12dcdc2544785a51f2d9db43c80d0b22aed419f4c
Opcode Fuzzy Hash: 131c0346bc8a3cb66eeaafbb9f926b6fe59c6be327ca9a41844475f464ae5324
Instruction Fuzzy Hash: 3E12BB34601251EFDB25CF24ED94BAAB7E1FB45304F154469F4898B662CB32ECA1CF91

Function 00192711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0019273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0019286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00192900
GetClientRect.USER32(00000000,?), ref: 0019290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00192955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00192964
GetStockObject.GDI32(00000011), ref: 00192974
SelectObject.GDI32(00000000,00000000), ref: 00192978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00192988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00192991
DeleteDC.GDI32(00000000), ref: 0019299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00192A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00192A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00192A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00192A77
GetStockObject.GDI32(00000011), ref: 00192A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00192A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00192A97

Strings

static, xrefs: 0019294F, 00192A71
DISPLAY, xrefs: 0019295A
AutoIt v3, xrefs: 001928F8
msctls_progress32, xrefs: 00192A13

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5337f2d148b2946f96f1b9ba64dc3ac41f71c3f93a4bd6b25404a8e3200db330
Instruction ID: 3eef70d26490da7e379c8f17a623ef64cb41f570f1ec80f5886ab3fb9a3b4cac
Opcode Fuzzy Hash: 5337f2d148b2946f96f1b9ba64dc3ac41f71c3f93a4bd6b25404a8e3200db330
Instruction Fuzzy Hash: C7B13AB5A00215BFEB14DFA8DC89FAE7BA9FB09710F004515F915EB690D774AD80CBA0

Function 00184ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00184AED
GetDriveTypeW.KERNEL32(?,001ACB68,?,\\.\,001ACC08), ref: 00184BCA
SetErrorMode.KERNEL32(00000000,001ACB68,?,\\.\,001ACC08), ref: 00184D36

Strings

USB, xrefs: 00184CB4
\\.\, xrefs: 00184B3F
MMC, xrefs: 00184CDE
ATA, xrefs: 00184C98
Virtual, xrefs: 00184CE5
SATA, xrefs: 00184CD0
PhysicalDrive, xrefs: 00184B76
Network, xrefs: 00184C02
RAMDisk, xrefs: 00184BF4
SAS, xrefs: 00184CC9
iSCSI, xrefs: 00184CC2
Unknown, xrefs: 00184BED, 00184C83
Fixed, xrefs: 00184C09
SSD, xrefs: 00184C4A
Fibre, xrefs: 00184CAD
Removable, xrefs: 00184C10, 00184C15
RAID, xrefs: 00184CBB
ATAPI, xrefs: 00184C91
1394, xrefs: 00184C9F
FileBackedVirtual, xrefs: 00184CEC
CDROM, xrefs: 00184BFB
SCSI, xrefs: 00184C8A
SSA, xrefs: 00184CA6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e11c9b2ca0870c9db24b3556c58496104bf868c9102e225e8b4da8e602eaa501
Instruction ID: f364981ca12a6e625bf8ae6b24481920264f88691d931daaa5a9ae4f973d5b89
Opcode Fuzzy Hash: e11c9b2ca0870c9db24b3556c58496104bf868c9102e225e8b4da8e602eaa501
Instruction Fuzzy Hash: 0561C0307056079BCB08FF64DA819A8B7B5AB15340B248026F846AB791DF76EF81DF81

Function 001A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001A7421
SetTextColor.GDI32(?,?), ref: 001A7425
GetSysColorBrush.USER32(0000000F), ref: 001A743B
GetSysColor.USER32(0000000F), ref: 001A7446
CreateSolidBrush.GDI32(?), ref: 001A744B
GetSysColor.USER32(00000011), ref: 001A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001A7471
SelectObject.GDI32(?,00000000), ref: 001A7482
SetBkColor.GDI32(?,00000000), ref: 001A748B
SelectObject.GDI32(?,?), ref: 001A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001A7572
DrawFocusRect.USER32(?,?), ref: 001A757D
GetSysColor.USER32(00000011), ref: 001A758E
SetTextColor.GDI32(?,00000000), ref: 001A7596
DrawTextW.USER32(?,001A70F5,000000FF,?,00000000), ref: 001A75A8
SelectObject.GDI32(?,?), ref: 001A75BF
DeleteObject.GDI32(?), ref: 001A75CA
SelectObject.GDI32(?,?), ref: 001A75D0
DeleteObject.GDI32(?), ref: 001A75D5
SetTextColor.GDI32(?,?), ref: 001A75DB
SetBkColor.GDI32(?,?), ref: 001A75E5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1619472b7f2f28c8aeb138d3bc9d8bd43a75d01ff47f2bb1a9f593d9c029b781
Instruction ID: b5b845e8c2f5b64827b6910d0e03bbecd40caaae1aa9366195c82b656863ce3e
Opcode Fuzzy Hash: 1619472b7f2f28c8aeb138d3bc9d8bd43a75d01ff47f2bb1a9f593d9c029b781
Instruction Fuzzy Hash: 6D614F76D04218AFDF019FA4DC49AEE7FB9EB0A320F114125F915AB2E1D7749A80CB90

Function 001A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001A1128
GetDesktopWindow.USER32 ref: 001A113D
GetWindowRect.USER32(00000000), ref: 001A1144
GetWindowLongW.USER32(?,000000F0), ref: 001A1199
DestroyWindow.USER32(?), ref: 001A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001A1245
IsWindowVisible.USER32(00000000), ref: 001A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001A12D0
GetWindowRect.USER32(00000000,?), ref: 001A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001A130E
GetMonitorInfoW.USER32(00000000,?), ref: 001A1328
CopyRect.USER32(?,?), ref: 001A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001A13AA

Strings

(, xrefs: 001A131B
0, xrefs: 001A10D3
tooltips_class32, xrefs: 001A11E6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fe97211e21dfd9701789420ffeb0131c8d2d3d44dcb49d7bb93f3d161d6c2aa3
Instruction ID: 50327d96779d61c85131bc100b027c8b56b637c47ef1161dc80804d18c71443b
Opcode Fuzzy Hash: fe97211e21dfd9701789420ffeb0131c8d2d3d44dcb49d7bb93f3d161d6c2aa3
Instruction Fuzzy Hash: BDB19D75608341AFDB04DF64C984BABBBE5FF89350F00891DF9999B2A1D731E884CB91

Function 00128891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00128968
GetSystemMetrics.USER32(00000007), ref: 00128970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0012899B
GetSystemMetrics.USER32(00000008), ref: 001289A3
GetSystemMetrics.USER32(00000004), ref: 001289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00128A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00128A3C
GetClientRect.USER32(00000000,000000FF), ref: 00128A5A
GetStockObject.GDI32(00000011), ref: 00128A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00128A81

Part of subcall function 0012912D: GetCursorPos.USER32(?), ref: 00129141
Part of subcall function 0012912D: ScreenToClient.USER32(00000000,?), ref: 0012915E
Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000001), ref: 00129183
Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000002), ref: 0012919D

SetTimer.USER32(00000000,00000000,00000028,001290FC), ref: 00128AA8

Strings

AutoIt v3 GUI, xrefs: 00128A20

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ef4d527ef2cc051d03af305c9bd80259a12ea7f1af0f721429f7327c8b2f0d18
Instruction ID: 9bb24ba6ee48078e863b3bbdb4b394b1fef5ff3982307ee44b0a809147c82ac4
Opcode Fuzzy Hash: ef4d527ef2cc051d03af305c9bd80259a12ea7f1af0f721429f7327c8b2f0d18
Instruction Fuzzy Hash: C0B18E75A00219AFDF14DFA8DD85BAE7BB5FB48314F114129FA15AB290DB34E890CB90

Function 00170D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
Part of subcall function 001710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
Part of subcall function 001710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
Part of subcall function 001710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00170DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00170E29
GetLengthSid.ADVAPI32(?), ref: 00170E40
GetAce.ADVAPI32(?,00000000,?), ref: 00170E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00170E96
GetLengthSid.ADVAPI32(?), ref: 00170EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00170EB5
HeapAlloc.KERNEL32(00000000), ref: 00170EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00170EDD
CopySid.ADVAPI32(00000000), ref: 00170EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00170F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00170F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00170F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F6E
HeapFree.KERNEL32(00000000), ref: 00170F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F7E
HeapFree.KERNEL32(00000000), ref: 00170F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F8E
HeapFree.KERNEL32(00000000), ref: 00170F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00170FA1
HeapFree.KERNEL32(00000000), ref: 00170FA8

Part of subcall function 00171193: GetProcessHeap.KERNEL32(00000008,00170BB1,?,00000000,?,00170BB1,?), ref: 001711A1
Part of subcall function 00171193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00170BB1,?), ref: 001711A8
Part of subcall function 00171193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00170BB1,?), ref: 001711B7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 072cdd64f55bd3ab3beabb6f904de7e23bb0121de622da403df3a564fe2631b0
Instruction ID: 08623bc3e4eb80fcba04d4420ad9898817f48e4d9f4ca2726bfcaf90a4eae3e1
Opcode Fuzzy Hash: 072cdd64f55bd3ab3beabb6f904de7e23bb0121de622da403df3a564fe2631b0
Instruction Fuzzy Hash: 78713B72A0030AEBDF21DFA4DC45FAEBBB8BF09310F148115F919E6191DB719A45CBA0

Function 0019C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001ACC08,00000000,?,00000000,?,?), ref: 0019C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0019C5A4
_wcslen.LIBCMT ref: 0019C5F4
_wcslen.LIBCMT ref: 0019C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0019C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0019C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0019C84D
RegCloseKey.ADVAPI32(?), ref: 0019C881
RegCloseKey.ADVAPI32(00000000), ref: 0019C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0019C960

Strings

REG_MULTI_SZ, xrefs: 0019C6F5
REG_DWORD, xrefs: 0019C804
REG_BINARY, xrefs: 0019C913
REG_QWORD, xrefs: 0019C8C3
REG_EXPAND_SZ, xrefs: 0019C5CD
REG_SZ, xrefs: 0019C644

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: afba1cd1f9af86f618bd647368a17755ca8d3ce7eaef2819fa9c9836fa7f5fa1
Instruction ID: 466b921059310b2f281c4a031f484545ff7beaab43bdda145f18381a4c8c1b6d
Opcode Fuzzy Hash: afba1cd1f9af86f618bd647368a17755ca8d3ce7eaef2819fa9c9836fa7f5fa1
Instruction Fuzzy Hash: 6B1269356042019FDB18DF14D891A6AB7E5FF88714F05886DF89A9B3A2DB31FD81CB81

Function 001A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001A09C6
_wcslen.LIBCMT ref: 001A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A0A54
_wcslen.LIBCMT ref: 001A0A8A
_wcslen.LIBCMT ref: 001A0B06
_wcslen.LIBCMT ref: 001A0B81

Part of subcall function 0012F9F2: _wcslen.LIBCMT ref: 0012F9FD

Part of subcall function 00172BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00172BFA

Strings

EXISTS, xrefs: 001A0B7C, 001A0B97
COLLAPSE, xrefs: 001A0B01, 001A0B1C
SELECT, xrefs: 001A0D11
CHECK, xrefs: 001A0A85, 001A0AA0
ISCHECKED, xrefs: 001A0CE1
UNCHECK, xrefs: 001A0D3E
GETSELECTED, xrefs: 001A0C4E
GETTOTALCOUNT, xrefs: 001A09F2, 001A0A17
GETITEMCOUNT, xrefs: 001A0C1E
GETTEXT, xrefs: 001A0C97
EXPAND, xrefs: 001A0BF8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 343667f9421a7defbc894f685f2d6c24b2c5c8710dd4873171b91b1425532640
Instruction ID: 4c255894d335385a19d34bcf906079075f3ec8a24979fb73a829bd217345872d
Opcode Fuzzy Hash: 343667f9421a7defbc894f685f2d6c24b2c5c8710dd4873171b91b1425532640
Instruction Fuzzy Hash: B5E1B1392083018FC719DF24C55096AB7F2BFA9314F15896DF89A9B3A2D731ED85CB81

Function 0019C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
_wcslen.LIBCMT ref: 0019C9F1
_wcslen.LIBCMT ref: 0019CA68
_wcslen.LIBCMT ref: 0019CA9E
_wcslen.LIBCMT ref: 0019CAF9
_wcslen.LIBCMT ref: 0019CB2F
_wcslen.LIBCMT ref: 0019CB7F

Strings

HKLM, xrefs: 0019CA98, 0019CA9D
HKU, xrefs: 0019CBF0
HKCU, xrefs: 0019CBCE
HKEY_CLASSES_ROOT, xrefs: 0019CAF3, 0019CAF8
HKCR, xrefs: 0019CB29, 0019CB2E
HKEY_LOCAL_MACHINE, xrefs: 0019CA62, 0019CA67
HKCC, xrefs: 0019CBAC
HKEY_CURRENT_CONFIG, xrefs: 0019CB79, 0019CB7E
HKEY_CURRENT_USER, xrefs: 0019CBBD
HKEY_USERS, xrefs: 0019CBDF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a05e3ea6c4dcdd00468db9dc7be9d559902d4dcc79babb3f76c459b097295f72
Instruction ID: f161fb04efa51243d1612094e897f49ded6b328e815e4c7db0524241adb6205a
Opcode Fuzzy Hash: a05e3ea6c4dcdd00468db9dc7be9d559902d4dcc79babb3f76c459b097295f72
Instruction Fuzzy Hash: A471D33260016A8BCF20DE7CC9515BE3391ABB57A4F550529F8A6AB284F735DD85C3E0

Function 001A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A835A
_wcslen.LIBCMT ref: 001A836E
_wcslen.LIBCMT ref: 001A8391
_wcslen.LIBCMT ref: 001A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001A361A,?), ref: 001A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001A8501
FreeLibrary.KERNEL32(?), ref: 001A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001A851D
DestroyIcon.USER32(?), ref: 001A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001A8555

Strings

.exe, xrefs: 001A8388
.dll, xrefs: 001A83AB
.icl, xrefs: 001A8368

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c2c79e17e341efbfd633b3cf05feabcee28d4fb99393c1146dd3137fbb7cf4bd
Instruction ID: a98ee35bcd8e1783fa477f3d260230bb0ae1a6f0ab3feb107bd38ce6bede745f
Opcode Fuzzy Hash: c2c79e17e341efbfd633b3cf05feabcee28d4fb99393c1146dd3137fbb7cf4bd
Instruction Fuzzy Hash: 7861CF71A40215BFEB14DF64CC85BFE77A8BF19B21F10460AF815D61D1EB74AA90CBA0

Function 00117778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00155153
Bad directive syntax error, xrefs: 0015519A
', xrefs: 00155169
Cannot parse #include, xrefs: 00155279
#pragma compile, xrefs: 001177D3
#include-once, xrefs: 0011782F
#notrayicon, xrefs: 001177E7
#OnAutoItStartRegister, xrefs: 00117817
#ce, xrefs: 001178ED
#include, xrefs: 00117847
#requireadmin, xrefs: 001177FF
#comments-start, xrefs: 0011785F, 001178B1
#comments-end, xrefs: 001178D9
#cs, xrefs: 00117873, 001178C5
Unterminated group of comments, xrefs: 0015528C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 84619f3b800967df326aed1b02179a1f272117f2f7ebc5e367d22c85534b89ea
Instruction ID: 2ddedd993c7aff650c0483aecc5cfe4d8c9687df24302f3282cbcf4cc4a3f555
Opcode Fuzzy Hash: 84619f3b800967df326aed1b02179a1f272117f2f7ebc5e367d22c85534b89ea
Instruction Fuzzy Hash: 02810671604605BBDB28AF60DC56FEE3BB9AF25300F044034FC15AA2D6EB70D996C7A1

Function 00183E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00183EF8
_wcslen.LIBCMT ref: 00183F03
_wcslen.LIBCMT ref: 00183F5A
_wcslen.LIBCMT ref: 00183F98
GetDriveTypeW.KERNEL32(?), ref: 00183FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00184059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00184087

Strings

open, xrefs: 00183F54, 00183F59
open , xrefs: 00183FE5
type cdaudio alias cd wait, xrefs: 00184001
close cd wait, xrefs: 00184072
close, xrefs: 00183EFE, 00183F18
closed, xrefs: 00183F08, 00183F2D, 00183F46, 00183F7E, 00183F97
wait, xrefs: 00184044
set cd door , xrefs: 00184028

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: cdc66b5d2209af9f84f49fa6c325d423d87eb90b87b883ee19805bbeaabfd106
Instruction ID: 0472b75637d1a9f5270002f887426bbd2ec631f16e9dbee5306cf2634cf764bd
Opcode Fuzzy Hash: cdc66b5d2209af9f84f49fa6c325d423d87eb90b87b883ee19805bbeaabfd106
Instruction Fuzzy Hash: 1071E5326042129FC314EF24C8809ABB7F4FFA4764F04492DF9A597251EB31EE85CB92

Function 00175A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00175A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00175A40
SetWindowTextW.USER32(?,?), ref: 00175A57
GetDlgItem.USER32(?,000003EA), ref: 00175A6C
SetWindowTextW.USER32(00000000,?), ref: 00175A72
GetDlgItem.USER32(?,000003E9), ref: 00175A82
SetWindowTextW.USER32(00000000,?), ref: 00175A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00175AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00175AC3
GetWindowRect.USER32(?,?), ref: 00175ACC
_wcslen.LIBCMT ref: 00175B33
SetWindowTextW.USER32(?,?), ref: 00175B6F
GetDesktopWindow.USER32 ref: 00175B75
GetWindowRect.USER32(00000000), ref: 00175B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00175BD3
GetClientRect.USER32(?,?), ref: 00175BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00175C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00175C2F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ab11a3fe97f3efc72f745c97f6a3aa69f49ca89d132734df563ed01259412d9
Instruction ID: e09eb13ae6e1f1bcd8a3b1ecdedafb842dd55f9a405404b9095cdfab69aeafc0
Opcode Fuzzy Hash: 5ab11a3fe97f3efc72f745c97f6a3aa69f49ca89d132734df563ed01259412d9
Instruction Fuzzy Hash: 8A715231900B05AFDB20DFA8CE45B6EBBF6FF48715F104518E54AA3590D7B5E944CB50

Function 0018FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0018FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0018FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0018FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0018FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0018FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0018FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0018FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0018FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0018FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0018FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0018FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0018FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0018FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0018FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0018FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0018FECC
GetCursorInfo.USER32(?), ref: 0018FEDC
GetLastError.KERNEL32 ref: 0018FF1E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 999ccb1e1a3cb1e36b882da5eb6abf0c1a21fcc0d83b600789d262d0017aa76d
Instruction ID: 59c4be4fd9390a202f79357dc031c35964daa9d9892f9c8a9a837318f88deebd
Opcode Fuzzy Hash: 999ccb1e1a3cb1e36b882da5eb6abf0c1a21fcc0d83b600789d262d0017aa76d
Instruction Fuzzy Hash: 3E4151B0D443196ADB109FBA8C8985EBFE8FF04354B50452AF11DE7281DB78A9418F91

Function 001300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001300C6

Part of subcall function 001300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001E070C,00000FA0,AC74D7D3,?,?,?,?,001523B3,000000FF), ref: 0013011C
Part of subcall function 001300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001523B3,000000FF), ref: 00130127
Part of subcall function 001300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001523B3,000000FF), ref: 00130138
Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0013014E
Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0013015C
Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0013016A
Part of subcall function 001300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00130195
Part of subcall function 001300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001301A0

___scrt_fastfail.LIBCMT ref: 001300E7

Part of subcall function 001300A3: __onexit.LIBCMT ref: 001300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00130122
WakeAllConditionVariable, xrefs: 00130162
SleepConditionVariableCS, xrefs: 00130154
kernel32.dll, xrefs: 00130133
InitializeConditionVariable, xrefs: 00130148

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 914054f235a9031b54ab4527f390e5a4f8d2c8e37253b869ae9afbe3390f9390
Instruction ID: c32616d2667cc49ad41dad42185a65ecdd71e750cd4be0a7ad4e34dd190a1bc9
Opcode Fuzzy Hash: 914054f235a9031b54ab4527f390e5a4f8d2c8e37253b869ae9afbe3390f9390
Instruction Fuzzy Hash: C921F936A44710ABE7236BE4AC55B6E73E4EB0EF51F010139F801E6A91DBB49C808AD0

Function 001730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0017318D
_wcslen.LIBCMT ref: 001731F8

Strings

REGEXPCLASS, xrefs: 00173255, 00173266
CLASS, xrefs: 00173188, 001731A5
NAME, xrefs: 00173335, 00173346
INSTANCE, xrefs: 00173453
TEXT, xrefs: 0017347C
CLASSNN, xrefs: 001731F3, 00173204

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 40be71fddd1bf7fa556bed8aa82335a7c65f56569f77f2aa89f4d040acd00102
Instruction ID: 2bcb49648df843f38da2c06b6fdab0e826e43f52d61d6c7ca5e6a188e6a7f67e
Opcode Fuzzy Hash: 40be71fddd1bf7fa556bed8aa82335a7c65f56569f77f2aa89f4d040acd00102
Instruction Fuzzy Hash: 83E1B532A00516ABCB289F78C4517EEFBB5BF54710F55C12AE46AB7240DB30AE85E790

Function 001844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001ACC08), ref: 00184527
_wcslen.LIBCMT ref: 0018453B
_wcslen.LIBCMT ref: 00184599
_wcslen.LIBCMT ref: 001845F4
_wcslen.LIBCMT ref: 0018463F
_wcslen.LIBCMT ref: 001846A7

Part of subcall function 0012F9F2: _wcslen.LIBCMT ref: 0012F9FD

GetDriveTypeW.KERNEL32(?,001D6BF0,00000061), ref: 00184743

Strings

removable, xrefs: 001845EA, 001845EF
network, xrefs: 0018469D, 001846A2
unknown, xrefs: 00184708
ramdisk, xrefs: 001846F1
all, xrefs: 00184531, 00184536
fixed, xrefs: 00184635, 0018463A
cdrom, xrefs: 0018458F, 00184594

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0d94e4816fddd0d8adc61276100aaca6e206f7bc3a82cf8181dce43e88f287ab
Instruction ID: 94e39266ce0829dc4728b2dc5cade7106749dea74d1112e8159e81792672f31c
Opcode Fuzzy Hash: 0d94e4816fddd0d8adc61276100aaca6e206f7bc3a82cf8181dce43e88f287ab
Instruction Fuzzy Hash: 35B1C3316083039FC714EF28C890A6EB7E5AFA5764F50492DF496C7291EB30DA85CF92

Function 00193FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001ACC08), ref: 001940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,001ACC08), ref: 001940F2
FreeLibrary.KERNEL32(00000000,?,001ACC08), ref: 0019413E
StringFromGUID2.OLE32(?,?,00000028,?,001ACC08), ref: 001941A8
SysFreeString.OLEAUT32(00000009), ref: 00194262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001942C8
SysFreeString.OLEAUT32(?), ref: 001942F2

Strings

GetModuleHandleExW, xrefs: 001940C7
kernel32.dll, xrefs: 001940B6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: d824b0e24bd3ea33d631adc54460ea74b00c68a7d8b7cd2b6730dbccc9af4d23
Instruction ID: cea7e6658ba33b9db9e69ef3ca03db7039f31e843b2899bcadf5d210592efed8
Opcode Fuzzy Hash: d824b0e24bd3ea33d631adc54460ea74b00c68a7d8b7cd2b6730dbccc9af4d23
Instruction Fuzzy Hash: 6D122875A00219EFDF14CF94C884EAEBBB5FF49314F258098E9059B251D731EE86CBA0

Function 0011326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(001E1990), ref: 00152F8D
GetMenuItemCount.USER32(001E1990), ref: 0015303D
GetCursorPos.USER32(?), ref: 00153081
SetForegroundWindow.USER32(00000000), ref: 0015308A
TrackPopupMenuEx.USER32(001E1990,00000000,?,00000000,00000000,00000000), ref: 0015309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001530A9

Strings

0, xrefs: 0011327D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f520776715e92b08484c285579db0ecd5fa37baa776e3de0794fbad61ee555b
Instruction ID: a5f395f1801c2d6359be300893b21e5014ffe04c875c02c8ea14a4de4be8df73
Opcode Fuzzy Hash: 5f520776715e92b08484c285579db0ecd5fa37baa776e3de0794fbad61ee555b
Instruction Fuzzy Hash: 93713771644205FEEB299F64DC89FAABF64FF02364F204216F9346A1E0C7B1A954CB90

Function 001A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001A6DEB

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A6E94
DestroyWindow.USER32(?), ref: 001A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00110000,00000000), ref: 001A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A6EFD
GetDesktopWindow.USER32 ref: 001A6F16
GetWindowRect.USER32(00000000), ref: 001A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001A6F4D

Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952

Strings

tooltips_class32, xrefs: 001A6E58, 001A6EDD
0, xrefs: 001A6D98

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2c2f9958f86914f56a545eaaf2987b559a14a7dc1b4b5bb9c477fceffb5a2cb7
Instruction ID: 0a2dae6a8673a6342ad05d83c464f7a9ffe101086f62a0a8be6b116ecfef2c33
Opcode Fuzzy Hash: 2c2f9958f86914f56a545eaaf2987b559a14a7dc1b4b5bb9c477fceffb5a2cb7
Instruction Fuzzy Hash: 84716778144244AFDB21CF28DC94FBABBE9FB8A304F08041EF999872A1C770A945CB51

Function 001A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

DragQueryPoint.SHELL32(?,?), ref: 001A9147

Part of subcall function 001A7674: ClientToScreen.USER32(?,?), ref: 001A769A
Part of subcall function 001A7674: GetWindowRect.USER32(?,?), ref: 001A7710
Part of subcall function 001A7674: PtInRect.USER32(?,?,001A8B89), ref: 001A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001A9277
DragFinish.SHELL32(?), ref: 001A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001A9371

Strings

@GUI_DRAGID, xrefs: 001A92E9
@GUI_DROPID, xrefs: 001A929E
@GUI_DRAGFILE, xrefs: 001A9320

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2af42d13a9c312964b08f4d873f9f9a7ea4e6994561293056f1c3cf661d43e77
Instruction ID: 58911a160798fae4085e71cfa98c49424545c1aacbf3403c8d09ff4042b0c67b
Opcode Fuzzy Hash: 2af42d13a9c312964b08f4d873f9f9a7ea4e6994561293056f1c3cf661d43e77
Instruction Fuzzy Hash: E7617C71108301AFC705DF64DC85DAFBBE8FF99750F00092EF596962A1DB309A89CB92

Function 0018C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0018C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0018C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0018C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0018C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0018C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0018C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0018C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0018C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0018C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0018C5F0
InternetCloseHandle.WININET(00000000), ref: 0018C5FB

Strings

, xrefs: 0018C575

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 7fd70569f4d46b4f879f0cf638ed6b74eded294918ad87b1c790f85b3fc79c1a
Instruction ID: 382ae1742bfbc42151d3689ea5ca046381a863de77e7b147aae53a25e061e7f3
Opcode Fuzzy Hash: 7fd70569f4d46b4f879f0cf638ed6b74eded294918ad87b1c790f85b3fc79c1a
Instruction Fuzzy Hash: D0513DB1600605BFDB21AFA4C988AAB7BFCFF09754F10441AF94596650DB34EA449FB0

Function 001A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 001A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001A85AD
CloseHandle.KERNEL32(00000000), ref: 001A85BA
GlobalLock.KERNEL32(00000000), ref: 001A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001A85D7
GlobalUnlock.KERNEL32(00000000), ref: 001A85E0
CloseHandle.KERNEL32(00000000), ref: 001A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,001AFC38,?), ref: 001A8611
GlobalFree.KERNEL32(00000000), ref: 001A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 001A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001A8671
DeleteObject.GDI32(00000000), ref: 001A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001A86AF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ad43a7b62b4c47ec34e37c64d49cbce1d4eb7ba0e9b4e5ed11382eba0ee93461
Instruction ID: 24823edc82813c35e7ec4870b5c1a2a49c44a17b736b34c26d695f033ce8b345
Opcode Fuzzy Hash: ad43a7b62b4c47ec34e37c64d49cbce1d4eb7ba0e9b4e5ed11382eba0ee93461
Instruction Fuzzy Hash: E741F875600208AFDB11DFA5DC48EABBBB8FF8AB15F144159F909E7260DB309D41CBA0

Function 001814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00181502
VariantCopy.OLEAUT32(?,?), ref: 0018150B
VariantClear.OLEAUT32(?), ref: 00181517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00181657
VariantInit.OLEAUT32(?), ref: 00181708
SysFreeString.OLEAUT32(?), ref: 0018178C
VariantClear.OLEAUT32(?), ref: 001817D8
VariantClear.OLEAUT32(?), ref: 001817E7
VariantInit.OLEAUT32(00000000), ref: 00181823

Strings

Default, xrefs: 001816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00181625

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9693ddacca99dd9dd95775ab4e256dcf703ae524d46ba4fd0b0ae3fc2ac9a867
Instruction ID: fe0961081f1d6185c0e46b8e779762c1d9e210058a1b8429085ecf41c85b528e
Opcode Fuzzy Hash: 9693ddacca99dd9dd95775ab4e256dcf703ae524d46ba4fd0b0ae3fc2ac9a867
Instruction Fuzzy Hash: 87D1F433A00115EBDB18AF65E885B7DB7B9BF46700F11806AF446AB580DB30DE92DF91

Function 0019B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0019B80A
RegCloseKey.ADVAPI32(?), ref: 0019B87E
RegCloseKey.ADVAPI32(?), ref: 0019B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0019B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0019B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0019B922
FreeLibrary.KERNEL32(00000000), ref: 0019B983
RegCloseKey.ADVAPI32(00000000), ref: 0019B994

Strings

RegDeleteKeyExW, xrefs: 0019B8FE
advapi32.dll, xrefs: 0019B8ED

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b83b99dcf0d014b4a5ebf47625d7007707b20b648de69c59e56133590136916d
Instruction ID: 683c81f9a221a71863496086a45047bc102771d544fe36b68d3626e96dc034bd
Opcode Fuzzy Hash: b83b99dcf0d014b4a5ebf47625d7007707b20b648de69c59e56133590136916d
Instruction Fuzzy Hash: C5C18C74208201AFDB14DF14D5D4F6ABBE5BF84308F14855CF5AA8B2A2CB71EC85CB91

Function 0019255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001925E8
CreateCompatibleDC.GDI32(?), ref: 001925F4
SelectObject.GDI32(00000000,?), ref: 00192601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0019266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001926D0
SelectObject.GDI32(?,?), ref: 001926D8
DeleteObject.GDI32(?), ref: 001926E1
DeleteDC.GDI32(?), ref: 001926E8
ReleaseDC.USER32(00000000,?), ref: 001926F3

Strings

(, xrefs: 0019268D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 87a354057d528d68d5d2809875c31a8b49bf6e31cfc7c75be0163d73ae28ab32
Instruction ID: 160319584b397a64a76be7b62c9ef1fc5184308339de7c153373d0b3b8de8abc
Opcode Fuzzy Hash: 87a354057d528d68d5d2809875c31a8b49bf6e31cfc7c75be0163d73ae28ab32
Instruction Fuzzy Hash: 4061F3B5E00219EFCF04CFA4D984AAEBBF6FF58310F208529E955A7650E770A951CF90

Function 0014DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0014DAA1

Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D659
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D66B
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D67D
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D68F
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6A1
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6B3
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6C5
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6D7
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6E9
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6FB
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D70D
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D71F
Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D731

_free.LIBCMT ref: 0014DA96

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

_free.LIBCMT ref: 0014DAB8
_free.LIBCMT ref: 0014DACD
_free.LIBCMT ref: 0014DAD8
_free.LIBCMT ref: 0014DAFA
_free.LIBCMT ref: 0014DB0D
_free.LIBCMT ref: 0014DB1B
_free.LIBCMT ref: 0014DB26
_free.LIBCMT ref: 0014DB5E
_free.LIBCMT ref: 0014DB65
_free.LIBCMT ref: 0014DB82
_free.LIBCMT ref: 0014DB9A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 455c3444b639768d3ddb42487bc8a3e586a23d0d59b8ed93f656899140e7ea0f
Instruction ID: 1398c9005f09d16838f494e8e414bca8eb983cfbd0914609991c5b15662d064d
Opcode Fuzzy Hash: 455c3444b639768d3ddb42487bc8a3e586a23d0d59b8ed93f656899140e7ea0f
Instruction Fuzzy Hash: D8313B316047059FEF22AA39E845B5A77E9FF21315F65442AF449D72B1DF31AC80C721

Function 0017365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0017369C
_wcslen.LIBCMT ref: 001736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00173797
GetClassNameW.USER32(?,?,00000400), ref: 0017380C
GetDlgCtrlID.USER32(?), ref: 0017385D
GetWindowRect.USER32(?,?), ref: 00173882
GetParent.USER32(?), ref: 001738A0
ScreenToClient.USER32(00000000), ref: 001738A7
GetClassNameW.USER32(?,?,00000100), ref: 00173921
GetWindowTextW.USER32(?,?,00000400), ref: 0017395D

Strings

%s%u, xrefs: 00173734

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1ea0a8b6edb41d93c7c1748281aa8577788b52a32a47cdce32748fa1e8968221
Instruction ID: 98942c81351f3d5b62260ffe648bf5879946c8b369171c2b080766dbab0c1f21
Opcode Fuzzy Hash: 1ea0a8b6edb41d93c7c1748281aa8577788b52a32a47cdce32748fa1e8968221
Instruction Fuzzy Hash: 71919171204606AFDB19DF24C885BEAF7B9FF44354F008629FAADD2190DB30EA45DB91

Function 00174954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00174994
GetWindowTextW.USER32(?,?,00000400), ref: 001749DA
_wcslen.LIBCMT ref: 001749EB
CharUpperBuffW.USER32(?,00000000), ref: 001749F7
_wcsstr.LIBVCRUNTIME ref: 00174A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00174A64
GetWindowTextW.USER32(?,?,00000400), ref: 00174A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00174AE6
GetClassNameW.USER32(?,?,00000400), ref: 00174B20
GetWindowRect.USER32(?,?), ref: 00174B8B

Strings

ThumbnailClass, xrefs: 00174A6F, 00174AF1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f947db1d733193e58ce063a1809cf5775ed5dcefb8a92a0e56796b4b4adb162b
Instruction ID: 8bf1c63db054613192092902ab3f1040ed07b41a4857a35e5a57b5d67d1e5601
Opcode Fuzzy Hash: f947db1d733193e58ce063a1809cf5775ed5dcefb8a92a0e56796b4b4adb162b
Instruction Fuzzy Hash: A591BD711042059FDB09DF14C981BAAB7F9FF98314F04846AFD8A9B196EB30ED45CBA1

Function 0017BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(001E1990,000000FF,00000000,00000030), ref: 0017BFAC
SetMenuItemInfoW.USER32(001E1990,00000004,00000000,00000030), ref: 0017BFE1
Sleep.KERNEL32(000001F4), ref: 0017BFF3
GetMenuItemCount.USER32(?), ref: 0017C039
GetMenuItemID.USER32(?,00000000), ref: 0017C056
GetMenuItemID.USER32(?,-00000001), ref: 0017C082
GetMenuItemID.USER32(?,?), ref: 0017C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0017C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0017C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0017C145

Strings

0, xrefs: 0017BF3D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2ef90e813e37c97f021c0dee9cb5775ce847cb93424247ba5f01e03a7aa26e32
Instruction ID: d1684d22d76fef7c2a66992ec064264ccf9eaad6527c9caff0bb521a7ffa8d21
Opcode Fuzzy Hash: 2ef90e813e37c97f021c0dee9cb5775ce847cb93424247ba5f01e03a7aa26e32
Instruction Fuzzy Hash: 3D617FB4A00246EFDF15CF64DC88AEE7BB8EB05344F548169F819A3291D735AD45CBE0

Function 0019CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0019CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0019CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0019CD48

Part of subcall function 0019CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0019CCAA
Part of subcall function 0019CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0019CCBD
Part of subcall function 0019CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0019CCCF
Part of subcall function 0019CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0019CD05
Part of subcall function 0019CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0019CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0019CCF3

Strings

RegDeleteKeyExW, xrefs: 0019CCC9
advapi32.dll, xrefs: 0019CCB8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3cc54da6406a506718d9b6910a9586e9e052af1182d96b25831f7232b2863c49
Instruction ID: cd58e2cd4200af753a2c23e93f5731b8ee6be2e75b4e41c81d6c4beb53f45e92
Opcode Fuzzy Hash: 3cc54da6406a506718d9b6910a9586e9e052af1182d96b25831f7232b2863c49
Instruction Fuzzy Hash: D8316E75A01229BBDB208B94DC88EFFBBBCEF56750F000165F945E2240DB349E85DAE0

Function 00183D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00183D40
_wcslen.LIBCMT ref: 00183D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00183D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00183DBE
RemoveDirectoryW.KERNEL32(?), ref: 00183DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00183E55
CloseHandle.KERNEL32(00000000), ref: 00183E60
CloseHandle.KERNEL32(00000000), ref: 00183E6B

Strings

\??\%s, xrefs: 00183D5B
\, xrefs: 00183D77
:, xrefs: 00183D82

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 305c893fdb97dc234e428d6664e643e9f31f88bee30ae26bf872c4e2042784fe
Instruction ID: b622f09535f522f1408fcf332948ef2f00afbb8e00ce30f1caac93b84e176121
Opcode Fuzzy Hash: 305c893fdb97dc234e428d6664e643e9f31f88bee30ae26bf872c4e2042784fe
Instruction Fuzzy Hash: 7C31D471900109ABDB21ABA0DC48FEF37BDEF89B00F5441B6F515D6050EB7497858B64

Function 0017E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0017E6B4

Part of subcall function 0012E551: timeGetTime.WINMM(?,?,0017E6D4), ref: 0012E555

Sleep.KERNEL32(0000000A), ref: 0017E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0017E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0017E727
SetActiveWindow.USER32 ref: 0017E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0017E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0017E773
Sleep.KERNEL32(000000FA), ref: 0017E77E
IsWindow.USER32 ref: 0017E78A
EndDialog.USER32(00000000), ref: 0017E79B

Strings

BUTTON, xrefs: 0017E719

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a0fd858774e034babba52c4d96d65f8cd4c8fb44c2273dcecc3c1b6c989f869e
Instruction ID: 97e13e954bb1f07789a76ec9b1b5df312fd1e0bd4e0cd840eb175f4ecb6b2f88
Opcode Fuzzy Hash: a0fd858774e034babba52c4d96d65f8cd4c8fb44c2273dcecc3c1b6c989f869e
Instruction Fuzzy Hash: 1D219670200245AFEF005FA4ECD9A293BFDF75D349F108465F91DC6AB1DBB1AD809AA4

Function 0017E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0017EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0017EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0017EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0017EAA7

Strings

play PlayMe, xrefs: 0017EAA2
open , xrefs: 0017EA0C
play PlayMe wait, xrefs: 0017EA91
close PlayMe, xrefs: 0017EA6E, 0017EA9B
alias PlayMe, xrefs: 0017EA36
status PlayMe mode, xrefs: 0017EA58

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 81fe1ec653ee229606f08871e62947fdbb2e5040b0688bc2c6eb88f9cce53d0b
Instruction ID: 10c7d4a6f89562518433e95e79ec7e1d3aaf660148e07558348e6e15c0e36982
Opcode Fuzzy Hash: 81fe1ec653ee229606f08871e62947fdbb2e5040b0688bc2c6eb88f9cce53d0b
Instruction Fuzzy Hash: E7115131A902197DD728A7A5DC5ADFF6BBCEBD5B04F40042AB811A21D1EB701A45C5B0

Function 00179F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0017A012
SetKeyboardState.USER32(?), ref: 0017A07D
GetAsyncKeyState.USER32(000000A0), ref: 0017A09D
GetKeyState.USER32(000000A0), ref: 0017A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0017A0E3
GetKeyState.USER32(000000A1), ref: 0017A0F4
GetAsyncKeyState.USER32(00000011), ref: 0017A120
GetKeyState.USER32(00000011), ref: 0017A12E
GetAsyncKeyState.USER32(00000012), ref: 0017A157
GetKeyState.USER32(00000012), ref: 0017A165
GetAsyncKeyState.USER32(0000005B), ref: 0017A18E
GetKeyState.USER32(0000005B), ref: 0017A19C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 754557b390a0b1c486e469f5ac75831560a3568b32f54897b8c2e7c54b13379c
Instruction ID: 2436d0dbe9c7a23b8492d67ded12c493f49eef6a422d2dcf47a4295b04ddfecb
Opcode Fuzzy Hash: 754557b390a0b1c486e469f5ac75831560a3568b32f54897b8c2e7c54b13379c
Instruction Fuzzy Hash: E551EA20A0478869FB35DB7088117EEBFF59F52380F88C599D5CA571C3DB54AA8CC7A2

Function 00175CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00175CE2
GetWindowRect.USER32(00000000,?), ref: 00175CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00175D59
GetDlgItem.USER32(?,00000002), ref: 00175D69
GetWindowRect.USER32(00000000,?), ref: 00175D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00175DCF
GetDlgItem.USER32(?,000003E9), ref: 00175DDD
GetWindowRect.USER32(00000000,?), ref: 00175DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00175E31
GetDlgItem.USER32(?,000003EA), ref: 00175E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00175E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00175E67

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e1c0a83264a4ef02142a2e64b667d0ca1d51cbdee28b2d815d19254dfa79b892
Instruction ID: 7d6db8c9ce7b7c52b4f5659c6c1f4fc0f13a03c20f5964235ab14a008e454676
Opcode Fuzzy Hash: e1c0a83264a4ef02142a2e64b667d0ca1d51cbdee28b2d815d19254dfa79b892
Instruction Fuzzy Hash: F0510171B00605AFDF18CFA8DD89AAEBBB6FB48310F148129F519E7690D7709E44CB50

Function 00128BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00128F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00128BE8,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 00128FC5

DestroyWindow.USER32(?), ref: 00128C81
KillTimer.USER32(00000000,?,?,?,?,00128BBA,00000000,?), ref: 00128D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00166973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 001669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 001669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000), ref: 001669D4
DeleteObject.GDI32(00000000), ref: 001669E6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d1e50f87202f84d433ff6891285ce31f2a4ae7412d01246506989f17d4e53979
Instruction ID: 31283eda10cf8fc7aa77e247a6866db07b9ccc172f2dbb0e04bc1d881f8ec252
Opcode Fuzzy Hash: d1e50f87202f84d433ff6891285ce31f2a4ae7412d01246506989f17d4e53979
Instruction Fuzzy Hash: BC618A31502660EFDB259F64EE88B6AB7F1FB5131AF15451CE0429B961CB35ACF0CBA0

Function 00129838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952

GetSysColor.USER32(0000000F), ref: 00129862

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b50fc5524f019da53d12898840b1d0ea8b7a0c761c71ab8e1d3ba2aba45eeef6
Instruction ID: 6c81700b9938d485880847a90ead8d8e0ecc0d1ed480b2a6603c9daaa1fc8ea4
Opcode Fuzzy Hash: b50fc5524f019da53d12898840b1d0ea8b7a0c761c71ab8e1d3ba2aba45eeef6
Instruction Fuzzy Hash: B841F531604654EFDB245F3CAC88BB93BA5EB17334F184645F9A2872E2C7309CA2DB50

Function 001796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0015F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00179717
LoadStringW.USER32(00000000,?,0015F7F8,00000001), ref: 00179720

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0015F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00179742
LoadStringW.USER32(00000000,?,0015F7F8,00000001), ref: 00179745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00179866

Strings

^ ERROR, xrefs: 001797FB
%s (%d) : ==> %s: %s %s, xrefs: 0017984A
Line %d (File "%s"):, xrefs: 0017978F
Error: , xrefs: 0017981D
Line %d:, xrefs: 001797A0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c4f9256377180118f66ddfe61a29ca290b38186770674984b362a7e0c12584af
Instruction ID: 325f1fb29809cac12facfbf127a9107e703b6477e02521dca19043fb075e45c3
Opcode Fuzzy Hash: c4f9256377180118f66ddfe61a29ca290b38186770674984b362a7e0c12584af
Instruction Fuzzy Hash: 5441417290021DAADF08EBE0DD96EEE7778AF25340F504035F61576092EB356F88CBA1

Function 001706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00170804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0017082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00170837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0017083C

Strings

\CLSID, xrefs: 00170724
SOFTWARE\Classes\, xrefs: 0017070E
\IPC$, xrefs: 00170784

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6fde7e844d2f2613d2953930b3f169dfccdc9dfba6c1e91a3c8ddf595b13a6e5
Instruction ID: c67aec9e4202bd652a2935a85810715b16bdd5e5a3116a72cdec6e51eeed5c21
Opcode Fuzzy Hash: 6fde7e844d2f2613d2953930b3f169dfccdc9dfba6c1e91a3c8ddf595b13a6e5
Instruction Fuzzy Hash: FD411872C10229EBCF19EBA4DC95CEDB778BF18354F44412AF915A3161EB30AE84CB90

Function 001A3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001A403B
CreateCompatibleDC.GDI32(00000000), ref: 001A4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001A4055
SelectObject.GDI32(00000000,00000000), ref: 001A405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 001A4068
DeleteDC.GDI32(00000000), ref: 001A4072
GetWindowLongW.USER32(?,000000EC), ref: 001A407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 001A4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 001A409E

Strings

static, xrefs: 001A3FD3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5107e34a4a395412486099a0a66bab0767da9880fdc008b41e7424c833dc0f8f
Instruction ID: 89264af1432627010c3b815fcbe35f70ae78340b718b4486afc86f4306462e08
Opcode Fuzzy Hash: 5107e34a4a395412486099a0a66bab0767da9880fdc008b41e7424c833dc0f8f
Instruction Fuzzy Hash: B7316E36501215AFDF219FA4DD09FDA3BA9FF0E324F110211FA19E61A1C775D850DB90

Function 00193C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00193C5C
CoInitialize.OLE32(00000000), ref: 00193C8A
CoUninitialize.OLE32 ref: 00193C94
_wcslen.LIBCMT ref: 00193D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00193DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00193ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00193F0E
CoGetObject.OLE32(?,00000000,001AFB98,?), ref: 00193F2D
SetErrorMode.KERNEL32(00000000), ref: 00193F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00193FC4
VariantClear.OLEAUT32(?), ref: 00193FD8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 25be4627a0f1724b0e83466090f397e2dd0d4bb636142495185efe2a5e10c554
Instruction ID: c3ba81f925ef9167d5693929e12257c3d5b56b1423f14b8946aac90afea0423b
Opcode Fuzzy Hash: 25be4627a0f1724b0e83466090f397e2dd0d4bb636142495185efe2a5e10c554
Instruction Fuzzy Hash: F8C135716083059FCB04DF68C88496BB7E9FF89744F00491DF99A9B250DB30EE46CB92

Function 00187A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00187AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00187B8F
SHGetDesktopFolder.SHELL32(?), ref: 00187BA3
CoCreateInstance.OLE32(001AFD08,00000000,00000001,001D6E6C,?), ref: 00187BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00187C74
CoTaskMemFree.OLE32(?,?), ref: 00187CCC
SHBrowseForFolderW.SHELL32(?), ref: 00187D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00187D7A
CoTaskMemFree.OLE32(00000000), ref: 00187D81
CoTaskMemFree.OLE32(00000000), ref: 00187DD6
CoUninitialize.OLE32 ref: 00187DDC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 2d9260b5c34a78eda27089a46b70aa40fe5fda4ea6c2fca3b624b374187ff033
Instruction ID: 3b5e7bd8556f3de938759cc8226a80182ef1a2c0f19ea73b53bba5dd5a158230
Opcode Fuzzy Hash: 2d9260b5c34a78eda27089a46b70aa40fe5fda4ea6c2fca3b624b374187ff033
Instruction Fuzzy Hash: C6C10B75A04109AFCB14DFA4C884DAEBBF9FF48314B1485A9E8199B761D730EE85CF90

Function 001A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A5515
CharNextW.USER32(00000158), ref: 001A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A55AC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: fa9ad2a0c825cff328f67718347f7429b98839bf0185213cbd9e34d967a7bc50
Instruction ID: 0ec1fb882d231fd604150fa08ab999493920b7f1329d0a3b802921bdd6d9ffcb
Opcode Fuzzy Hash: fa9ad2a0c825cff328f67718347f7429b98839bf0185213cbd9e34d967a7bc50
Instruction Fuzzy Hash: 5D616E79908608EBDF10DF94DC849FE7BBAEB0B724F104145F925AB291D7748A80DBA1

Function 0016FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0016FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0016FB08
VariantInit.OLEAUT32(?), ref: 0016FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0016FB3A
VariantCopy.OLEAUT32(?,?), ref: 0016FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0016FBA1
VariantClear.OLEAUT32(?), ref: 0016FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0016FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0016FBCC
VariantClear.OLEAUT32(?), ref: 0016FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0016FBE9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a118c73d7b3dcfbc47924cec918b141c35e569e570d010294f06859242888c85
Instruction ID: aab7eb2f45bb5410bb509081f2735985a5412f97f7dc44db4780e2b1916e15c4
Opcode Fuzzy Hash: a118c73d7b3dcfbc47924cec918b141c35e569e570d010294f06859242888c85
Instruction Fuzzy Hash: 3F416235A00219DFCB04DF68DC549EEBBB9FF19344F008069E905A7261CB30E956CF90

Function 00179C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00179CA1
GetAsyncKeyState.USER32(000000A0), ref: 00179D22
GetKeyState.USER32(000000A0), ref: 00179D3D
GetAsyncKeyState.USER32(000000A1), ref: 00179D57
GetKeyState.USER32(000000A1), ref: 00179D6C
GetAsyncKeyState.USER32(00000011), ref: 00179D84
GetKeyState.USER32(00000011), ref: 00179D96
GetAsyncKeyState.USER32(00000012), ref: 00179DAE
GetKeyState.USER32(00000012), ref: 00179DC0
GetAsyncKeyState.USER32(0000005B), ref: 00179DD8
GetKeyState.USER32(0000005B), ref: 00179DEA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2008bd6b1ad031f09e5634a7ab1cd4a72f6ee6f2f38db16622d8dc59229ba820
Instruction ID: 3f289a1ebfee20009c450cc5f4d865a7cae356f9e1923328544d526078bc6c67
Opcode Fuzzy Hash: 2008bd6b1ad031f09e5634a7ab1cd4a72f6ee6f2f38db16622d8dc59229ba820
Instruction Fuzzy Hash: 224189345047CA6DFF3596A4C4043B5BEB16F12344F48C05ADACE566C2EBA599CCC792

Function 0019055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001905BC
inet_addr.WSOCK32(?), ref: 0019061C
gethostbyname.WSOCK32(?), ref: 00190628
IcmpCreateFile.IPHLPAPI ref: 00190636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001907B9
WSACleanup.WSOCK32 ref: 001907BF

Strings

Ping, xrefs: 00190676

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 89385519a7b233cf6e0ea6ff6e15c202d47efaaa9828ad40ecfb299afd9414df
Instruction ID: b5bf08510366301e73b0f5795a473c53def0af2cdc93af150ed1d01c0d983a34
Opcode Fuzzy Hash: 89385519a7b233cf6e0ea6ff6e15c202d47efaaa9828ad40ecfb299afd9414df
Instruction Fuzzy Hash: 85919E356042019FDB25CF55D888F1ABBE0AF48328F1585A9F4A98B6A2C730FD85CF91

Function 00198CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00198CF3

Part of subcall function 00178E54: _wcslen.LIBCMT ref: 00178E77

_wcslen.LIBCMT ref: 00198D4E
_wcslen.LIBCMT ref: 00198D9C
_wcslen.LIBCMT ref: 00198DDC
_wcslen.LIBCMT ref: 00198E6E

Strings

winapi, xrefs: 00198D96, 00198D9B
none, xrefs: 00198E65, 00198E6A
cdecl, xrefs: 00198D48, 00198D4D
stdcall, xrefs: 00198DD6, 00198DDB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1125af3ba84fcb57f6eb32a4000786138d207814948eaada18722300cb055f0c
Instruction ID: f0d10c33534a6235e2cc763984c92f381ce742ffb90a1b1c559539d02eb4b561
Opcode Fuzzy Hash: 1125af3ba84fcb57f6eb32a4000786138d207814948eaada18722300cb055f0c
Instruction Fuzzy Hash: 3D518F31A001169BCF14DFACC9609BEB7E5BF66724B614229E826E72C4EB35DD40C790

Function 0019372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00193774
CoUninitialize.OLE32 ref: 0019377F
CoCreateInstance.OLE32(?,00000000,00000017,001AFB78,?), ref: 001937D9
IIDFromString.OLE32(?,?), ref: 0019384C
VariantInit.OLEAUT32(?), ref: 001938E4
VariantClear.OLEAUT32(?), ref: 00193936

Strings

NULL Pointer assignment, xrefs: 0019381E
Invalid parameter, xrefs: 00193865
Failed to create object, xrefs: 001937E4, 0019389A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 01e0ba0ed7d86aa00d02e3f4c27111e38144cfc2dbc784fd4b9b815289af6ba0
Instruction ID: 3c7c5cbc8d88d3fc7ec82f5ff2230a11542add84899f70119a0847e5402bb82e
Opcode Fuzzy Hash: 01e0ba0ed7d86aa00d02e3f4c27111e38144cfc2dbc784fd4b9b815289af6ba0
Instruction Fuzzy Hash: 2E61C070608311AFD715DF54C888F6ABBE8EF49714F00091DF9A59B291D770EE89CB92

Function 00183388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001833CF

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001833F0

Strings

^ ERROR , xrefs: 0018349E
Line %d (File "%s"):, xrefs: 00183443, 0018345C
Error: , xrefs: 001834D1
"%s" (%d) : ==> %s:, xrefs: 00183522
"%s" (%d) : ==> %s:%s%s, xrefs: 00183504
Incorrect parameters to object property !, xrefs: 001834AB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 53b82d3796c8956e4556425d1818dc1d282ffbb3297f8f1de58a36a716f31f13
Instruction ID: ef22506665831ac35ec8ea795cea7d58a3ced3d3a258314a14eca6fcb3727460
Opcode Fuzzy Hash: 53b82d3796c8956e4556425d1818dc1d282ffbb3297f8f1de58a36a716f31f13
Instruction Fuzzy Hash: 27518D71900209BADF19EBE0DD42EEEB778AF24740F144066F51572192EB312F98DF60

Function 0017B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0017B5FC
_wcslen.LIBCMT ref: 0017B608
_wcslen.LIBCMT ref: 0017B64D
_wcslen.LIBCMT ref: 0017B68C
_wcslen.LIBCMT ref: 0017B6C7

Strings

EXISTS, xrefs: 0017B686, 0017B68B
KEYS, xrefs: 0017B647, 0017B64C
APPEND, xrefs: 0017B6C1, 0017B6C6
REMOVE, xrefs: 0017B602, 0017B607

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 3a6aa0312fced72721cadb8fce5c8bfc37f023551661b8a3795a8d1bb48cce96
Instruction ID: 3d30b254e5f38f8bfc7a1165333824589b8fa7d931f9360ea207dc37bd0be096
Opcode Fuzzy Hash: 3a6aa0312fced72721cadb8fce5c8bfc37f023551661b8a3795a8d1bb48cce96
Instruction Fuzzy Hash: B6412932A080269BCB106F7DC8D06BE77B1AF64764B248129F629DB284E735CD81C390

Function 00185393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00185416
GetLastError.KERNEL32 ref: 00185420
SetErrorMode.KERNEL32(00000000,READY), ref: 001854A7

Strings

UNKNOWN, xrefs: 00185444
READONLY, xrefs: 00185452
NOTREADY, xrefs: 0018544B
READY, xrefs: 00185460, 00185468
INVALID, xrefs: 00185459

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9f7a0eb2a904b1140f4b1f41c9f6d257b438a6bf03d5794c4cb801bb3085ee64
Instruction ID: 569dbdea0695c4d49e5060becbf136e7f11c6a6fe14d9bf50b0dfa42ca687463
Opcode Fuzzy Hash: 9f7a0eb2a904b1140f4b1f41c9f6d257b438a6bf03d5794c4cb801bb3085ee64
Instruction Fuzzy Hash: B7318F35A00604DFD714EF68C584AAA7BB6EF55305F148066E405DB392EB71EE86CFA0

Function 001A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001A3C79
SetMenu.USER32(?,00000000), ref: 001A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A3D10
IsMenu.USER32(?), ref: 001A3D24
CreatePopupMenu.USER32 ref: 001A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A3D5B
DrawMenuBar.USER32 ref: 001A3D63

Strings

F, xrefs: 001A3D4E
0, xrefs: 001A3C54

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9b38f66fc07ffbfd49141295c519971cb510d4688b2cb44ae7a0eae75481e3ee
Instruction ID: 7cbe77a66e88797e34e5fe49658de23b5f9813c78f6b01619d1f5a11875ccda4
Opcode Fuzzy Hash: 9b38f66fc07ffbfd49141295c519971cb510d4688b2cb44ae7a0eae75481e3ee
Instruction Fuzzy Hash: F2414779A01209EFDB14CFA4E884BEA7BB5FF4A354F140029F956A7360D770AA50CF94

Function 00171EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00171F64
GetDlgCtrlID.USER32 ref: 00171F6F
GetParent.USER32 ref: 00171F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00171F8E
GetDlgCtrlID.USER32(?), ref: 00171F97
GetParent.USER32(?), ref: 00171FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00171FAE

Strings

ListBox, xrefs: 00171F21
ComboBox, xrefs: 00171EEC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6dbc848a4c5d0c0403bd1d04916ba6f4b52651dd50cb87a431fafc09b118a49f
Instruction ID: 8f099d3cceae73f6882f900c25497fc3c858a93180c0f3909a4d33a5a24f67f1
Opcode Fuzzy Hash: 6dbc848a4c5d0c0403bd1d04916ba6f4b52651dd50cb87a431fafc09b118a49f
Instruction Fuzzy Hash: E721CF70900218BBCF05EFA4DC95EEEBBB9EF16350B104116F969A72A1CB345948DBA0

Function 00171FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00172043
GetDlgCtrlID.USER32 ref: 0017204E
GetParent.USER32 ref: 0017206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0017206D
GetDlgCtrlID.USER32(?), ref: 00172076
GetParent.USER32(?), ref: 0017208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0017208D

Strings

ListBox, xrefs: 00172002
ComboBox, xrefs: 00171FCD

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f8e651128e91d4e848c1240616c701534629d10236aa8af9530002234c879563
Instruction ID: 4a1a16816dff995b5a566797a5dc1b26ec5a1f162bfd94b66e6580926f3f26bf
Opcode Fuzzy Hash: f8e651128e91d4e848c1240616c701534629d10236aa8af9530002234c879563
Instruction Fuzzy Hash: 8221C271A00218BBCF15EFA0CC85EEEBBB8AF15340F004016F9A9A72A1CB754955DBA0

Function 001A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001A3C13

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ae62d21020124b6a57641f7da715c96661deb1c6491cef733faab737793923b2
Instruction ID: dae47c8eeb0e75531b3ceec866bdee7a6b85855b0dfd9b8e826eedf35dc18a81
Opcode Fuzzy Hash: ae62d21020124b6a57641f7da715c96661deb1c6491cef733faab737793923b2
Instruction Fuzzy Hash: A5615C75900248AFDB10DFA4CC81FEE77B8EB0A714F10415AFA15AB291D770AA85DB60

Function 0017B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0017B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B165
GetWindowThreadProcessId.USER32(00000000), ref: 0017B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0017B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0017A1E1,?,00000001), ref: 0017B21D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 431a0bd236a90b2ae5934e112cfa96becb93f7b20482b3827c166e68cea9ea10
Instruction ID: ea0e95290565b11db20ab4adde7b39e80ad154052de00b9035c20691bdb3fc2a
Opcode Fuzzy Hash: 431a0bd236a90b2ae5934e112cfa96becb93f7b20482b3827c166e68cea9ea10
Instruction Fuzzy Hash: 63318075504208BFDB10DFA4ECC8B6EBBB9BB55311F108415FA19DB691D7B4AE808FA0

Function 00142C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00142C94

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

_free.LIBCMT ref: 00142CA0
_free.LIBCMT ref: 00142CAB
_free.LIBCMT ref: 00142CB6
_free.LIBCMT ref: 00142CC1
_free.LIBCMT ref: 00142CCC
_free.LIBCMT ref: 00142CD7
_free.LIBCMT ref: 00142CE2
_free.LIBCMT ref: 00142CED
_free.LIBCMT ref: 00142CFB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62e56f452a02354dbcd4c479f8fbcf1e1238eebcf55eb3b146a2458220018238
Instruction ID: d8f5c273083752f6c149300692f15e803c81f23a77523a9439cbfa0dbb3c5ce1
Opcode Fuzzy Hash: 62e56f452a02354dbcd4c479f8fbcf1e1238eebcf55eb3b146a2458220018238
Instruction Fuzzy Hash: CA119076100118AFDB02EF96D982CDD3BA9FF15354F9144A5FA489B232DB31EA909B90

Function 00187DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00187FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00187FC1
GetFileAttributesW.KERNEL32(?), ref: 00187FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00188005
SetCurrentDirectoryW.KERNEL32(?), ref: 00188017
SetCurrentDirectoryW.KERNEL32(?), ref: 00188060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001880B0

Strings

*.*, xrefs: 00188066

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0c5033439a3685292e72ef03aa81ce85dab12e63d0576df312721f361e8530b0
Instruction ID: 1822f0eb25590ceb206329fbe6dfb2ccbbb4952a5795e96161c95ffb4bfd7994
Opcode Fuzzy Hash: 0c5033439a3685292e72ef03aa81ce85dab12e63d0576df312721f361e8530b0
Instruction Fuzzy Hash: B981A1725082059BCB24FF14C4849AAB7E9BF99310F644C6EF889D7290EB35DE45CF92

Function 00115BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00115C7A

Part of subcall function 00115D0A: GetClientRect.USER32(?,?), ref: 00115D30
Part of subcall function 00115D0A: GetWindowRect.USER32(?,?), ref: 00115D71
Part of subcall function 00115D0A: ScreenToClient.USER32(?,?), ref: 00115D99

GetDC.USER32 ref: 001546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00154708
SelectObject.GDI32(00000000,00000000), ref: 00154716
SelectObject.GDI32(00000000,00000000), ref: 0015472B
ReleaseDC.USER32(?,00000000), ref: 00154733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001547C4

Strings

U, xrefs: 00154693

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a276446ecd5819704405e571ebebd091dd7c01a0ec614ec4289e97a069ce10d5
Instruction ID: a66c7950578561d74e8e4fcc032e93e51fcdefd99a3a06035c33d63d01883b35
Opcode Fuzzy Hash: a276446ecd5819704405e571ebebd091dd7c01a0ec614ec4289e97a069ce10d5
Instruction Fuzzy Hash: D571FF34400205DFCF29CF64C984AEA3BB6FF8A36AF144229ED655E266C73088C5DF90

Function 0018359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001835E4

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

LoadStringW.USER32(001E2390,?,00000FFF,?), ref: 0018360A

Strings

^ ERROR, xrefs: 001836C9
Line %d (File "%s"):, xrefs: 0018366B
Error: , xrefs: 001836EF
"%s" (%d) : ==> %s:, xrefs: 00183742
"%s" (%d) : ==> %s:%s%s, xrefs: 00183724

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 089823311d9c64c6d7fa548fbcd7483c97ac12fce95e6ce729a63fa7fa703d9c
Instruction ID: 98680a9ddeabffc3554d4f3daba0df75faf6b515c1b626adeb8bf9ba08aa8fcf
Opcode Fuzzy Hash: 089823311d9c64c6d7fa548fbcd7483c97ac12fce95e6ce729a63fa7fa703d9c
Instruction Fuzzy Hash: 63516D71800209BADF19EBE0DC52EEEBB38AF24710F144125F525761A1EB316BD9DFA1

Function 0018C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0018C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0018C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0018C2CA
GetLastError.KERNEL32 ref: 0018C322
SetEvent.KERNEL32(?), ref: 0018C336
InternetCloseHandle.WININET(00000000), ref: 0018C341

Strings

, xrefs: 0018C2BB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8c1f7ebf03e790a7907574f018b78408e1280f7405d1fc464457c5e19d19272e
Instruction ID: eddcef508d0e229c694caeb85185fcc27ea7b29a747216c39e91d6dc05cbbec4
Opcode Fuzzy Hash: 8c1f7ebf03e790a7907574f018b78408e1280f7405d1fc464457c5e19d19272e
Instruction Fuzzy Hash: 1B316DB1500604AFD721AFA49888AAB7BFCFB5A744F10851EF84692640DB34DE459FB0

Function 0017989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00153AAF,?,?,Bad directive syntax error,001ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001798BC
LoadStringW.USER32(00000000,?,00153AAF,?), ref: 001798C3

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00179987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001798F1
Error: , xrefs: 00179955
Line %d (File "%s"):, xrefs: 0017992D
Line %d:, xrefs: 00179912
., xrefs: 0017996D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 6ad01d967e3d105380577dce40f07df54fa5f8c9918298928db6641c1c4b40c1
Instruction ID: 2506100b5f7007bf197bf114688912559890971c97df0e1d7f4d07dcf79db18c
Opcode Fuzzy Hash: 6ad01d967e3d105380577dce40f07df54fa5f8c9918298928db6641c1c4b40c1
Instruction Fuzzy Hash: 9B21913190021EFBDF15AF90CC06EEE7775FF28304F04446AF629660A2EB71A658DB50

Function 0017209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0017214D

Strings

SHELLDLL_DefView, xrefs: 001720CC
details, xrefs: 001720FB
list, xrefs: 0017212F
smallicons, xrefs: 00172115
largeicons, xrefs: 001720E1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 13fda0cc6b78335442b7d0b446934f7109ac5c81a886da7911f0e7e14fda5ca1
Instruction ID: d49ec6cf8666ffa6efccf7581d159327e16f42beaaba9ab440965ee61951c812
Opcode Fuzzy Hash: 13fda0cc6b78335442b7d0b446934f7109ac5c81a886da7911f0e7e14fda5ca1
Instruction Fuzzy Hash: 4C11557A288306BAFB056220DC07CE733ADEB15324F208017FB0DA51E2FF71A8435654

Function 00148D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3936961a086d63eb67fc8db637a498f819c23d08819a495b7055a36232204d4
Instruction ID: ddec35c6caae330a909bf7f6078677d65d79d6370b2e166aa71674c35b1cf618
Opcode Fuzzy Hash: a3936961a086d63eb67fc8db637a498f819c23d08819a495b7055a36232204d4
Instruction Fuzzy Hash: 74C1C174E04249AFDF11DFE8D841BAEBBB4AF19310F144199F915AB3A2C7709982CB61

Function 0014CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0014CEB7
_free.LIBCMT ref: 0014CF22
_free.LIBCMT ref: 0014CF48
_free.LIBCMT ref: 0014CF71
_free.LIBCMT ref: 0014CFA9
_free.LIBCMT ref: 0014CFDA
_free.LIBCMT ref: 0014D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0014D09C
_free.LIBCMT ref: 0014D0B5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9befe7f3fd557df7d037a0a906e1c8f94afdc8d375181c0c25ab931701cb9699
Instruction ID: a86aaba15cedb6a2bfc81570d5b59ca09b5e0e165e6d1ad058aed9b217e9258f
Opcode Fuzzy Hash: 9befe7f3fd557df7d037a0a906e1c8f94afdc8d375181c0c25ab931701cb9699
Instruction Fuzzy Hash: 53617871A05311AFDF22AFF4DC81A6EBBA5EF15320F04016DF9449B2A2DB359D8587E0

Function 001A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001A5186
ShowWindow.USER32(?,00000000), ref: 001A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001A51D1

Part of subcall function 001A6FBA: DeleteObject.GDI32(00000000), ref: 001A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001A5296

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: df65b84c6037ff1c219b23869e98d09099fdb607eca386e318db4b395880491a
Instruction ID: 0fd17d8b4182d32ac39c79c6923e97600ccf39a7a33923e57b6ae2e980216d8a
Opcode Fuzzy Hash: df65b84c6037ff1c219b23869e98d09099fdb607eca386e318db4b395880491a
Instruction Fuzzy Hash: FE51C038A48A08FEEF349F24DC4ABE83B63FB17364F184012F615962E1C775A990DB40

Function 00128B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00166890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00128874,00000000,00000000,00000000,000000FF,00000000), ref: 00166901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0016691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00128874,00000000,00000000,00000000,000000FF,00000000), ref: 0016692D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fcffff0ddeb829932b4b03445a00b200479423526bcd7b1bdb7958f10967c3f3
Instruction ID: 7a622557c3273d85cb6ab2542520ac92006341a588ed5a33b1db166c85c7cbd1
Opcode Fuzzy Hash: fcffff0ddeb829932b4b03445a00b200479423526bcd7b1bdb7958f10967c3f3
Instruction Fuzzy Hash: 90517770A00209EFDB24CF28DC95FAA7BB5FB58754F10451CF916976A0DB70E9A0DB90

Function 0018C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0018C182
GetLastError.KERNEL32 ref: 0018C195
SetEvent.KERNEL32(?), ref: 0018C1A9

Part of subcall function 0018C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0018C272
Part of subcall function 0018C253: GetLastError.KERNEL32 ref: 0018C322
Part of subcall function 0018C253: SetEvent.KERNEL32(?), ref: 0018C336
Part of subcall function 0018C253: InternetCloseHandle.WININET(00000000), ref: 0018C341

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b8fd1e2d6ee40797263b2a133e0c48257c47172d4d4067c921cbf26a018d6338
Instruction ID: 51fde712da00edc966aa3af8100e8bb12ae0d6ef2710bc88a283ec307e423474
Opcode Fuzzy Hash: b8fd1e2d6ee40797263b2a133e0c48257c47172d4d4067c921cbf26a018d6338
Instruction Fuzzy Hash: 0B317E71100601AFDB21AFA5DC44A66BBFAFF19300B04441EF95682650DB31EA549FF0

Function 001725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00172601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00172605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0017260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00172623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00172627

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3fe869aa5cd55dcf2f8d7b98b9070e1b4b3404358123857a2587a92676fd33fa
Instruction ID: 348b8c22bbb715ae3326f1fb103341f60621bf8509610655fafb975e0eb5d17f
Opcode Fuzzy Hash: 3fe869aa5cd55dcf2f8d7b98b9070e1b4b3404358123857a2587a92676fd33fa
Instruction Fuzzy Hash: D801D431390210BBFB1067689C8AF993F69DB5EB12F104001F328EF1D1CAF224859AA9

Function 00171803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00171449,?,?,00000000), ref: 0017180C
HeapAlloc.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 00171813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00171449,?,?,00000000), ref: 00171828
GetCurrentProcess.KERNEL32(?,00000000,?,00171449,?,?,00000000), ref: 00171830
DuplicateHandle.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 00171833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00171449,?,?,00000000), ref: 00171843
GetCurrentProcess.KERNEL32(00171449,00000000,?,00171449,?,?,00000000), ref: 0017184B
DuplicateHandle.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 0017184E
CreateThread.KERNEL32(00000000,00000000,00171874,00000000,00000000,00000000), ref: 00171868

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 26595e6a937ef1dd53892523af34aed874e1361e67fc07d9685504c89f7ccb03
Instruction ID: ca5dfe7d492eaa26f5d31beae77a2c245a6f5656c71c4cac30d1c6a937c5b270
Opcode Fuzzy Hash: 26595e6a937ef1dd53892523af34aed874e1361e67fc07d9685504c89f7ccb03
Instruction Fuzzy Hash: BF01BBB5340308FFE710ABA5DC4DF6B3BACEB8AB11F008411FA05DB5A1DA709840CB60

Function 0019A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0017D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0017D501
Part of subcall function 0017D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0017D50F
Part of subcall function 0017D4DC: CloseHandle.KERNELBASE(00000000), ref: 0017D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019A16D
GetLastError.KERNEL32 ref: 0019A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0019A268
GetLastError.KERNEL32(00000000), ref: 0019A273
CloseHandle.KERNEL32(00000000), ref: 0019A2C4

Strings

SeDebugPrivilege, xrefs: 0019A18F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ab1bc534a87f78a429552c7b1a329b9a584e524f067d7a47fc6f105d6d20d373
Instruction ID: a75dc99e3f777c5e2834b07c89d4fa9253bd3d2988084c0aa8fea34f1f903c51
Opcode Fuzzy Hash: ab1bc534a87f78a429552c7b1a329b9a584e524f067d7a47fc6f105d6d20d373
Instruction Fuzzy Hash: 3F61A230208242AFDB14DF18C494F65BBE1AF54318F54849CE4664BBA3C772EC89CBD2

Function 001A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001A3954
_wcslen.LIBCMT ref: 001A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001A39F4

Strings

SysListView32, xrefs: 001A38F7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 420fb9e21b83197eb69541d247b2f706b0ee5c84b99a89c166855c56676db15b
Instruction ID: 8c84d026fb12863eb153a3f9c77071ffa777b47728c6465d3ada8b5ddf098a37
Opcode Fuzzy Hash: 420fb9e21b83197eb69541d247b2f706b0ee5c84b99a89c166855c56676db15b
Instruction Fuzzy Hash: 2241C275A00218ABEB219F64CC49FEA7BA9EF09354F100126F968E7281D7759E84CB90

Function 0017BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0017BCFD
IsMenu.USER32(00000000), ref: 0017BD1D
CreatePopupMenu.USER32 ref: 0017BD53
GetMenuItemCount.USER32(010756D8), ref: 0017BDA4
InsertMenuItemW.USER32(010756D8,?,00000001,00000030), ref: 0017BDCC

Strings

2, xrefs: 0017BD37
0, xrefs: 0017BCA8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f8986835a639e936862e208d1c6adc52d93f5632aea93e09a0faeaff78dba9bc
Instruction ID: 16ca86387b9a85efeab768b8f6a39410850136137afe4d3a8a6b745bd38b6377
Opcode Fuzzy Hash: f8986835a639e936862e208d1c6adc52d93f5632aea93e09a0faeaff78dba9bc
Instruction Fuzzy Hash: 4F519C70A082059FDB25CFE8D8C8BAEBBF4AF59318F14C219E419E7291E7709941CB61

Function 0017C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0017C913

Strings

warning, xrefs: 0017C8FC
blank, xrefs: 0017C895
stop, xrefs: 0017C8E4
question, xrefs: 0017C8CC
info, xrefs: 0017C8B4

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fbf920ab49e464c6d73c63aebde0845e54be26cae947286518a5ae86f7d95d64
Instruction ID: 57569a6b8df3fe9b20b73d88951383a0a7a4b2b3db9764e259d9e414b1e0c3c5
Opcode Fuzzy Hash: fbf920ab49e464c6d73c63aebde0845e54be26cae947286518a5ae86f7d95d64
Instruction Fuzzy Hash: 6E11EB3168930ABBE7055B549C83CEA77BCDF15358B10402FF609A6282D7606D4052E5

Function 0017DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0017DE42
gethostname.WSOCK32(?,00000100), ref: 0017DE5C
gethostbyname.WSOCK32(?), ref: 0017DE69
inet_ntoa.WSOCK32(?), ref: 0017DEAB
_strcat.LIBCMT ref: 0017DEB9
WSACleanup.WSOCK32 ref: 0017DEDE

Strings

0.0.0.0, xrefs: 0017DE87

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b42400bc14fe262d531929e2da1c8c28b7f44302a11d795ce45a919f96a6f143
Instruction ID: 6b1c4ab15f94e7213404d842baa5c5e4266004c9792229fba894392943a4b383
Opcode Fuzzy Hash: b42400bc14fe262d531929e2da1c8c28b7f44302a11d795ce45a919f96a6f143
Instruction Fuzzy Hash: 0C112931904119AFDB25AB70EC0AEEF77BCDF29721F0141A9F40996091EF719AC18B90

Function 001A9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

GetSystemMetrics.USER32(0000000F), ref: 001A9FC7
GetSystemMetrics.USER32(0000000F), ref: 001A9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 001AA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001AA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001AA263
ShowWindow.USER32(00000003,00000000), ref: 001AA282
InvalidateRect.USER32(?,00000000,00000001), ref: 001AA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 001AA2CA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8d78fb85fb207a26b9922ce74df369382546614a54c0b678257f5beb046bbdb6
Instruction ID: 381d586c137c12678a6fc68bffee51f132982db9cc4f2feb52c307a411002266
Opcode Fuzzy Hash: 8d78fb85fb207a26b9922ce74df369382546614a54c0b678257f5beb046bbdb6
Instruction Fuzzy Hash: 00B1AA39600215EFDF14CF68C9857AE7BB2FF4A701F09806AEC499B295D731A990CB51

Function 0017ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0017ED2A
_wcslen.LIBCMT ref: 0017ED3B
_wcslen.LIBCMT ref: 0017ED79
_wcslen.LIBCMT ref: 0017EDAF
_wcslen.LIBCMT ref: 0017EDDF
_wcslen.LIBCMT ref: 0017EDEF
_wcslen.LIBCMT ref: 0017EE2B
_wcslen.LIBCMT ref: 0017EE5A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b1f09505b1d8c9fc583e4e7d1110adb96326ba6066143fc2359be845329a4b6e
Instruction ID: 077fef01128e9916abeee1afb4d1dd3a8b3c8aa3c1c96486f25768d1f74eafb7
Opcode Fuzzy Hash: b1f09505b1d8c9fc583e4e7d1110adb96326ba6066143fc2359be845329a4b6e
Instruction Fuzzy Hash: 34419365C1021876CB11EBF4D88AADFB7F8AF69710F508862F518E3121FB34E255C3A6

Function 0012F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0012F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0016F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0016F454

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 631300881fab12db2452cd9036dc9e9442cfb26d91e944252278561218a8dafc
Instruction ID: 6b847e7a252549b4b69994036980b97d93c1a114cfe06335c9b1339474ccc81d
Opcode Fuzzy Hash: 631300881fab12db2452cd9036dc9e9442cfb26d91e944252278561218a8dafc
Instruction Fuzzy Hash: F441E931608690BECF399B29BC8872A7BB2BB56318F15443CF04756A61D731A8E2CB51

Function 001A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001A2D1B
GetDC.USER32(00000000), ref: 001A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001A2DE1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: deba0bcf8256aecf873a2eee41db0c38a372f06d19ff1be6815ed34274ab16c6
Instruction ID: 3b3b46a0fe4efe182bdf7bcf69967275aacc0cf3f1256ae608a5027af0b7b8b6
Opcode Fuzzy Hash: deba0bcf8256aecf873a2eee41db0c38a372f06d19ff1be6815ed34274ab16c6
Instruction Fuzzy Hash: 4A317A76201214BFEB218F54CC8AFFB3BA9EF0A715F044055FE089A292C6759C90CBA4

Function 00175622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00175637
_memcmp.LIBVCRUNTIME ref: 00175659
_memcmp.LIBVCRUNTIME ref: 00175671
_memcmp.LIBVCRUNTIME ref: 00175684
_memcmp.LIBVCRUNTIME ref: 0017569E
_memcmp.LIBVCRUNTIME ref: 001756B1
_memcmp.LIBVCRUNTIME ref: 001756C9
_memcmp.LIBVCRUNTIME ref: 001756E4

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6a4df6fb0d58bb81bc4fc637d176f667377f2deb7306270a0829fbe71550ccc9
Instruction ID: 626700904f63d60923fb3dfaebe90b4a4dad9221363cc9e4a275e16243aced71
Opcode Fuzzy Hash: 6a4df6fb0d58bb81bc4fc637d176f667377f2deb7306270a0829fbe71550ccc9
Instruction Fuzzy Hash: 8F21A7A5641A0977D71855218D82FFA337FBF213A4F548024FD0C9A581FBB1EE1181A5

Function 00194FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0019502E, 00195383
Not an Object type, xrefs: 00195007

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 831c9f4d4d567db2492f76cf17295edcb5c72c50a7b3ee2d45d7db60165a5835
Instruction ID: 7fee153f8b17c1eb196e2383b9addd9bf38f93be2a47f3cf78a54852df0ac57a
Opcode Fuzzy Hash: 831c9f4d4d567db2492f76cf17295edcb5c72c50a7b3ee2d45d7db60165a5835
Instruction Fuzzy Hash: 82D1B175A0060A9FDF15CFA8C881BAEB7B6BF48344F148169E915BB281E770DD45CBA0

Function 00151522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00151651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001516FB

Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00151777
__freea.LIBCMT ref: 001517A2
__freea.LIBCMT ref: 001517AE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 8593d497716947ad93b92888c5d25b66ff88870258547c51b3525668ccfde370
Instruction ID: 1e74c932c7e66c087c6e438781247a4a0c55a1e4f7b0cc392fe9b0ba67c19508
Opcode Fuzzy Hash: 8593d497716947ad93b92888c5d25b66ff88870258547c51b3525668ccfde370
Instruction Fuzzy Hash: 0D91D872E10216FADB268E74C841BEE7BB5AF49311F140659ED21EF150E735DC48CBA0

Function 00194523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00194648
VariantInit.OLEAUT32(?), ref: 00194749
VariantClear.OLEAUT32(?), ref: 00194753
VariantClear.OLEAUT32(?), ref: 001947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0019472C
Null Object assignment in FOR..IN loop, xrefs: 001945D8, 00194706, 001947BE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4fe27029314243250eaeb1f8f21ab3c07af417479d24e954efb2d17346a3939f
Instruction ID: 05363746cf6b676a026d7de20a0798f2e3fd61d47c571de100ad75080ee0ac3c
Opcode Fuzzy Hash: 4fe27029314243250eaeb1f8f21ab3c07af417479d24e954efb2d17346a3939f
Instruction Fuzzy Hash: 9F918E71A00219ABDF28CFA5D884FAEBBB8EF46714F118559F505AB280D7709946CFA0

Function 00181187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0018125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00181284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0018135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00181430

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 16d72ef9e5ebb91ac1ab4f71e3f894719b56659b6154ea9047a791ae32bc54a5
Instruction ID: 7628da22096d1bbac4c9225b2ba6a698371c927cff165ab5d5ecf7fd6f492c20
Opcode Fuzzy Hash: 16d72ef9e5ebb91ac1ab4f71e3f894719b56659b6154ea9047a791ae32bc54a5
Instruction Fuzzy Hash: 8D91D372A00219AFDB05EFA4C884BFE77B9FF55315F214029E901E7291D774AA46CF90

Function 0012948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 96f2464e5823ab761105064e981bc7ae9ed60200e51d9781a8a7bbffadb8c0a0
Instruction ID: c89ea9926062d4204c2f99d30c0048d8dab7f3266a353df8da86f04faff75dce
Opcode Fuzzy Hash: 96f2464e5823ab761105064e981bc7ae9ed60200e51d9781a8a7bbffadb8c0a0
Instruction Fuzzy Hash: F7913971E00219EFCB14CFA9DC84AEEBBB8FF49320F14415AE515B7291D778A951CBA0

Function 00193947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0019396B
CharUpperBuffW.USER32(?,?), ref: 00193A7A
_wcslen.LIBCMT ref: 00193A8A
VariantClear.OLEAUT32(?), ref: 00193C1F

Part of subcall function 00180CDF: VariantInit.OLEAUT32(00000000), ref: 00180D1F
Part of subcall function 00180CDF: VariantCopy.OLEAUT32(?,?), ref: 00180D28
Part of subcall function 00180CDF: VariantClear.OLEAUT32(?), ref: 00180D34

Strings

AUTOIT.ERROR, xrefs: 00193A80, 00193A85
Incorrect Parameter format, xrefs: 001939A6, 00193BA1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 6a9f6f9a8f6342b5d5b631386b1b421e2b5b81eb21bd80e8f46d7aed907bf1cf
Instruction ID: 4440a3644cf67b5243ed2c8c6b78da721dc8dab3fdac12a353e5e70243314d7c
Opcode Fuzzy Hash: 6a9f6f9a8f6342b5d5b631386b1b421e2b5b81eb21bd80e8f46d7aed907bf1cf
Instruction Fuzzy Hash: 1B9169756083059FCB14EF64C48096AB7E5FF99314F14882EF89A9B351DB30EE45CB92

Function 00194BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0017000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?,?,0017035E), ref: 0017002B
Part of subcall function 0017000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170046
Part of subcall function 0017000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170054
Part of subcall function 0017000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?), ref: 00170064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00194C51
_wcslen.LIBCMT ref: 00194D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00194DCF
CoTaskMemFree.OLE32(?), ref: 00194DDA

Strings

NULL Pointer assignment, xrefs: 00194E23, 00194E52

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d1df4590cc183bb14a7e646bf929173cb7b21b1cee670347ac79ef7cad8f90c4
Instruction ID: 0a84c2818bdc2d77a7ee780437cfb0b4b93be98040c9a3d3e2a2685e92d0b507
Opcode Fuzzy Hash: d1df4590cc183bb14a7e646bf929173cb7b21b1cee670347ac79ef7cad8f90c4
Instruction Fuzzy Hash: 75912771D0021DAFDF15DFA4D890EEEBBB8BF18314F108169E919A7251EB349A45CFA0

Function 001A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001A2183
GetMenuItemCount.USER32(00000000), ref: 001A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001A21DD
_wcslen.LIBCMT ref: 001A2213
GetMenuItemID.USER32(?,?), ref: 001A224D
GetSubMenu.USER32(?,?), ref: 001A225B

Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001A22E3

Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 161fe409d85b1fdaf6739a3d6450518d26de6b4219e1c43e21b6e41a17e74e9b
Instruction ID: bbf40f86b87154caf0e7609578223e3ee10354675f78ef89230d84efb57bfb5c
Opcode Fuzzy Hash: 161fe409d85b1fdaf6739a3d6450518d26de6b4219e1c43e21b6e41a17e74e9b
Instruction Fuzzy Hash: 98717F79E00205AFCB14DFA8C845AAEB7F5EF5A310F158469E816EB351DB34ED428B90

Function 001A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010757F0), ref: 001A7F37
IsWindowEnabled.USER32(010757F0), ref: 001A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001A801E
SendMessageW.USER32(010757F0,000000B0,?,?), ref: 001A8051
IsDlgButtonChecked.USER32(?,?), ref: 001A8089
GetWindowLongW.USER32(010757F0,000000EC), ref: 001A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001A80C3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9854412265a61c45d6402e39ad8320938bba475a72d6c87ae112db969fe6a750
Instruction ID: de887af503c5b475d7b69dbacb701dbed2408261081830ab6d884b6f59d23a96
Opcode Fuzzy Hash: 9854412265a61c45d6402e39ad8320938bba475a72d6c87ae112db969fe6a750
Instruction Fuzzy Hash: B471AE78608204AFEB25DF64CC94FEA7BB5EF1B300F144459F955972A1CB31AE44CB60

Function 0017AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0017AEF9
GetKeyboardState.USER32(?), ref: 0017AF0E
SetKeyboardState.USER32(?), ref: 0017AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0017AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0017AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0017AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0017B020

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 69a69dc347c41b3cc461eecd247466947751f70bad18a3890e1052a56b4a1e31
Instruction ID: 86794bfa7b42ea9558345bae8f93bd1b3a66f6035e6a7cd8b35f5a6d47ce6c41
Opcode Fuzzy Hash: 69a69dc347c41b3cc461eecd247466947751f70bad18a3890e1052a56b4a1e31
Instruction Fuzzy Hash: AB51CFA06086D53DFB3682348885BBEBEB95F46304F08C589F1DD958C2C798A8C8D752

Function 0017ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0017AD19
GetKeyboardState.USER32(?), ref: 0017AD2E
SetKeyboardState.USER32(?), ref: 0017AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0017ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0017ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0017AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0017AE38

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e7dcd94add94fcd5470f3d8bd8d39ef816b6fd1b0964f54fd612431bf548864
Instruction ID: 6dde2b113b045f9949e1f30f8fce2b3b5c2cd6f06619c66a761764ae4dbe034d
Opcode Fuzzy Hash: 1e7dcd94add94fcd5470f3d8bd8d39ef816b6fd1b0964f54fd612431bf548864
Instruction Fuzzy Hash: 9B51C1A15487D53DFB368364CC95BBEBEB95F86300F48C488E1DD86882D794AC88D762

Function 0014542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00153CD6,?,?,?,?,?,?,?,?,00145BA3,?,?,00153CD6,?,?), ref: 00145470
__fassign.LIBCMT ref: 001454EB
__fassign.LIBCMT ref: 00145506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00153CD6,00000005,00000000,00000000), ref: 0014552C
WriteFile.KERNEL32(?,00153CD6,00000000,00145BA3,00000000,?,?,?,?,?,?,?,?,?,00145BA3,?), ref: 0014554B
WriteFile.KERNEL32(?,?,00000001,00145BA3,00000000,?,?,?,?,?,?,?,?,?,00145BA3,?), ref: 00145584

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0f222c7878c2fc178d2bf765cba013191fc27fa64e7b27dd19406037670925ab
Instruction ID: 4d2ab04e879ffd856f010a7188ee69e4c8e326d40ee8e180c5c8da0ed4c5b5ca
Opcode Fuzzy Hash: 0f222c7878c2fc178d2bf765cba013191fc27fa64e7b27dd19406037670925ab
Instruction Fuzzy Hash: 2A51D871A00649AFDB11CFA8D885AFEBBF6EF09310F14411AF555EB2A2D730DA41CB60

Function 00132D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00132D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00132D53
_ValidateLocalCookies.LIBCMT ref: 00132DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00132E0C
_ValidateLocalCookies.LIBCMT ref: 00132E61

Strings

csm, xrefs: 00132DF6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d1fe31267ffbc5ea1a52c1c645ffc245e2794d0243f543875e1898aa5b8644eb
Instruction ID: ca6f64e2b738f807c2a6db0e3cfc30feea763e57ecbb0d358bb770a79d1f4ebd
Opcode Fuzzy Hash: d1fe31267ffbc5ea1a52c1c645ffc245e2794d0243f543875e1898aa5b8644eb
Instruction Fuzzy Hash: DD41A734E00209EBCF14EFA8C845A9EBBB5BF45324F148155F919AB352D735DA45CBD0

Function 001910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0019304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
Part of subcall function 0019304E: _wcslen.LIBCMT ref: 0019309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00191112
WSAGetLastError.WSOCK32 ref: 00191121
WSAGetLastError.WSOCK32 ref: 001911C9
closesocket.WSOCK32(00000000), ref: 001911F9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: fac2b656ca98dd6fc8c6e22d3575d2c18ac236a6ac66b56198151443f522bd48
Instruction ID: 9110dda6e008526fe78ae0d211e58220c5a6903cfed6912beb5fcd380d6d2e68
Opcode Fuzzy Hash: fac2b656ca98dd6fc8c6e22d3575d2c18ac236a6ac66b56198151443f522bd48
Instruction Fuzzy Hash: 9241CF31600205BFDB149F64C884BAABBEAFF45364F148069F9169B291C774EDC1CBE1

Function 0017CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0017CF22,?), ref: 0017DDFD

Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0017CF22,?), ref: 0017DE16

lstrcmpiW.KERNEL32(?,?), ref: 0017CF45
MoveFileW.KERNEL32(?,?), ref: 0017CF7F
_wcslen.LIBCMT ref: 0017D005
_wcslen.LIBCMT ref: 0017D01B
SHFileOperationW.SHELL32(?), ref: 0017D061

Strings

\*.*, xrefs: 0017CFF3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 1c049c5e408eba1b76780d485f53f279abee5f3eb318e7d453406079108ac77b
Instruction ID: 205c37d5ba797f7de024d68b442363ab3bbb045c6ed7bc74f2b2e694d6250326
Opcode Fuzzy Hash: 1c049c5e408eba1b76780d485f53f279abee5f3eb318e7d453406079108ac77b
Instruction Fuzzy Hash: 294114719452189FDF16EBA4D981BDEB7F9AF19380F1040EAE509EB141EB34A788CB50

Function 001A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A2F0B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f9093a39de399376b47f4b7302d5735c77ae76f396be978cba532c0bcd3a9598
Instruction ID: d032bc4bb0a4de08083ce842f904e65e413916ef3a9ccfc2f9600d526306efe3
Opcode Fuzzy Hash: f9093a39de399376b47f4b7302d5735c77ae76f396be978cba532c0bcd3a9598
Instruction Fuzzy Hash: 8331D239645290AFDB21CF5CDC84FA937E5EB9AB14F150164F905CF6B2CB71A880DB81

Function 00177726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017778F
SysAllocString.OLEAUT32(00000000), ref: 00177792
SysAllocString.OLEAUT32(?), ref: 001777B0
SysFreeString.OLEAUT32(?), ref: 001777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001777DE
SysAllocString.OLEAUT32(?), ref: 001777EC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 50a9a612949860b2b8954de4e7522911216eb1de35b2eb2c15be891dc98ccc13
Instruction ID: a20fca3d3d2c965ac8eec4bdcd23669a79a444691dbef73640fdaa43b05155bc
Opcode Fuzzy Hash: 50a9a612949860b2b8954de4e7522911216eb1de35b2eb2c15be891dc98ccc13
Instruction Fuzzy Hash: 1D21B076604219AFDB14EFA8DC88CBB77FCEB09364B018425FA08DB190D770DC8287A4

Function 001777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177868
SysAllocString.OLEAUT32(00000000), ref: 0017786B
SysAllocString.OLEAUT32 ref: 0017788C
SysFreeString.OLEAUT32 ref: 00177895
StringFromGUID2.OLE32(?,?,00000028), ref: 001778AF
SysAllocString.OLEAUT32(?), ref: 001778BD

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 22ed6da3f7a45045b9b65646824f285fe539d4c9e05e05887a7b077df5d921dc
Instruction ID: 21c074539f82e75dbc8bf20efedb969f2d276fa97a6fec49aa2132da9263d91b
Opcode Fuzzy Hash: 22ed6da3f7a45045b9b65646824f285fe539d4c9e05e05887a7b077df5d921dc
Instruction Fuzzy Hash: 85213035608214AFDB109FA8DC88DBA77FCEB09760B118125F919CB2A1DB74DC81CBA5

Function 001804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0018052E

Strings

nul, xrefs: 00180567

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3dfcdd8bf3f2b24e0af61f07ebb2dc6b98e652b17a414d07cb3653997bb19d4f
Instruction ID: 69a7bb9e94b966ca8ef7f1ad1a965a4df647cbc9771cd256a9e51ae812ae7c65
Opcode Fuzzy Hash: 3dfcdd8bf3f2b24e0af61f07ebb2dc6b98e652b17a414d07cb3653997bb19d4f
Instruction Fuzzy Hash: 39216075600309AFDB61AF29DC44A9A77E4BF49724F204A19F8A1D72E0D7709A88CF70

Function 001805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00180601

Strings

nul, xrefs: 00180639

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bd983462b29915c1ac3cb5172eac69314574ce37a5fd77eb73db0dcc7609d84e
Instruction ID: 69ec9b2c9903fcab6717b12a8eef98ee36b25a24d4a997dbf65e140012a05381
Opcode Fuzzy Hash: bd983462b29915c1ac3cb5172eac69314574ce37a5fd77eb73db0dcc7609d84e
Instruction Fuzzy Hash: 732183755003099FDB61AF698C04A5A77E4BF99720F304B19F8A1E72E0E7709A64CF60

Function 001A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0011600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
Part of subcall function 0011600E: GetStockObject.GDI32(00000011), ref: 00116060
Part of subcall function 0011600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001A4145

Strings

Msctls_Progress32, xrefs: 001A40E3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7aff2b4606bab9cd4007726e0e09de9c756c0f3d08e0cd877b11dff8e3cd830c
Instruction ID: 30d779cdbc5f2009bdedd58b104b076d3b4c9fcf7e33fca18527f7c7a13af2c7
Opcode Fuzzy Hash: 7aff2b4606bab9cd4007726e0e09de9c756c0f3d08e0cd877b11dff8e3cd830c
Instruction Fuzzy Hash: 4211E2B6140219BFEF108F64CC81EE77F9DEF09398F004110BA18A2190CBB29C61DBA0

Function 0014D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0014D7A3: _free.LIBCMT ref: 0014D7CC

_free.LIBCMT ref: 0014D82D

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

_free.LIBCMT ref: 0014D838
_free.LIBCMT ref: 0014D843
_free.LIBCMT ref: 0014D897
_free.LIBCMT ref: 0014D8A2
_free.LIBCMT ref: 0014D8AD
_free.LIBCMT ref: 0014D8B8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7b77029a6bf6f8145233abb249f73d26166b24d4bb220203e93a948785e7011c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C2115971540B14AAEE21BFF0DC06FCB7B9CAF20705F800825F299A62A2DB34A5458661

Function 0017DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0017DA74
LoadStringW.USER32(00000000), ref: 0017DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0017DA91
LoadStringW.USER32(00000000), ref: 0017DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0017DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0017DAB9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9bc1a8fb54d960aad58d1fa6ae16a677a4ba354d3b3d7346642a455bee6dd0cb
Instruction ID: 3e6c5b9d6dcf83803608620120f81adb4a1f388e6e6b2dd96b43e8738f1809d1
Opcode Fuzzy Hash: 9bc1a8fb54d960aad58d1fa6ae16a677a4ba354d3b3d7346642a455bee6dd0cb
Instruction Fuzzy Hash: FF014FF6500208BBE7109BA09D89EE6327CEB09301F404496B70AE2141EA749E848BB4

Function 0018096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0106E258,0106E258), ref: 0018097B
EnterCriticalSection.KERNEL32(0106E238,00000000), ref: 0018098D
TerminateThread.KERNEL32(?,000001F6), ref: 0018099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001809A9
CloseHandle.KERNEL32(?), ref: 001809B8
InterlockedExchange.KERNEL32(0106E258,000001F6), ref: 001809C8
LeaveCriticalSection.KERNEL32(0106E238), ref: 001809CF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4f969ffd15741bf1edeb45a364da9a5ffd320a9340665e68b6a3fe634e639184
Instruction ID: 31227f83e9721766ab74e05fdf297ef891ae64b74924de42ce0fb1ea3f5a8b83
Opcode Fuzzy Hash: 4f969ffd15741bf1edeb45a364da9a5ffd320a9340665e68b6a3fe634e639184
Instruction Fuzzy Hash: 5DF0C932542A12BBD7525BA4EE89BD6BA29FF06706F402026F20290CA1DB7595A5CFD0

Function 00115D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00115D30
GetWindowRect.USER32(?,?), ref: 00115D71
ScreenToClient.USER32(?,?), ref: 00115D99
GetClientRect.USER32(?,?), ref: 00115ED7
GetWindowRect.USER32(?,?), ref: 00115EF8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7c9cef0011cdb8b0d7841942820feecc0608f22b197847c6cf2b177d6afa8ce6
Instruction ID: 4cf01a5e534c3865c5efd0d1e0a3015fd45cbb4f61cfa5774f4ffd44b6d66dcb
Opcode Fuzzy Hash: 7c9cef0011cdb8b0d7841942820feecc0608f22b197847c6cf2b177d6afa8ce6
Instruction Fuzzy Hash: 82B16B34A0064ADFDB18CFA9C4407EEB7F2FF58314F14941AE8A9D7250D730AA95DB54

Function 001401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001400D6
__allrem.LIBCMT ref: 001400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0014010B
__allrem.LIBCMT ref: 00140122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00140140

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: a36c617439597aeb9afab3a1322d50b8ea02d215b85d4236b815fb19d50b0364
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F7814972A00706ABE725AF39CC81B6B73E8AF65764F24453EF911D72A1E770D9018B50

Function 00191D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00193149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0019101C,00000000,?,?,00000000), ref: 00193195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00191DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00191DE1
WSAGetLastError.WSOCK32 ref: 00191DF2
inet_ntoa.WSOCK32(?), ref: 00191E8C
htons.WSOCK32(?,?,?,?,?), ref: 00191EDB
_strlen.LIBCMT ref: 00191F35

Part of subcall function 001739E8: _strlen.LIBCMT ref: 001739F2

Part of subcall function 00116D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0012CF58,?,?,?), ref: 00116DBA
Part of subcall function 00116D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0012CF58,?,?,?), ref: 00116DED

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 4b2dbb771d0eb72b731aacb1ba6d140fa6453705d25e6e17f08f1dbb23298e2e
Instruction ID: 44b8088daa374a154f5f960dbeb3be443a3ec0a3f9fe7756d045eb16c23010c5
Opcode Fuzzy Hash: 4b2dbb771d0eb72b731aacb1ba6d140fa6453705d25e6e17f08f1dbb23298e2e
Instruction Fuzzy Hash: 70A10531104341AFCB28DF20C895F6A7BE5AF94318F54895CF4565B2E2DB31ED86CB91

Function 001461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001382D9,001382D9,?,?,?,0014644F,00000001,00000001,8BE85006), ref: 00146258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0014644F,00000001,00000001,8BE85006,?,?,?), ref: 001462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001463D8
__freea.LIBCMT ref: 001463E5

Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852

__freea.LIBCMT ref: 001463EE
__freea.LIBCMT ref: 00146413

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 8c888e71930dccbc225c87bb27c1a0caaae2d1a3f688642e870fb086595bbce5
Instruction ID: 37665ff02aa91fc563ccb0a696b20f1045bb363bc50c964a8b796536ccf3ab12
Opcode Fuzzy Hash: 8c888e71930dccbc225c87bb27c1a0caaae2d1a3f688642e870fb086595bbce5
Instruction Fuzzy Hash: 8B51F372A00256ABDB258F64CC81EAF77A9FF56728F154629FC09D71A0DB34DC80C6A1

Function 0019BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019BD25
RegCloseKey.ADVAPI32(00000000), ref: 0019BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0019BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0019BDF3
RegCloseKey.ADVAPI32(?), ref: 0019BDFF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bf3481c4e5f6b0108230608dce6cfec73a2e1641605caaa207a2c9de1c5eadcc
Instruction ID: d30f218f457db060d8dabdea9dd22021732b8c4848e52ca2a8c180aa7ebdab3e
Opcode Fuzzy Hash: bf3481c4e5f6b0108230608dce6cfec73a2e1641605caaa207a2c9de1c5eadcc
Instruction Fuzzy Hash: F181AD30208241AFCB14DF64D9D5E6ABBE5FF85308F14896CF4594B2A2DB31ED45CB92

Function 0016F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0016F7B9
SysAllocString.OLEAUT32(00000001), ref: 0016F860
VariantCopy.OLEAUT32(0016FA64,00000000), ref: 0016F889
VariantClear.OLEAUT32(0016FA64), ref: 0016F8AD
VariantCopy.OLEAUT32(0016FA64,00000000), ref: 0016F8B1
VariantClear.OLEAUT32(?), ref: 0016F8BB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 628a86de6794d21a3ab3f7410a8c51901b056788b8c82bbf94cd8f4368a3c613
Instruction ID: 5fc66cfc23db15c75581b9ee01c727426b8ded0ff0575d9bb3c6f557defed71e
Opcode Fuzzy Hash: 628a86de6794d21a3ab3f7410a8c51901b056788b8c82bbf94cd8f4368a3c613
Instruction Fuzzy Hash: 5B51D331600310BACF28AB65EC95B29B3A8EF55314F20847EFD06DF291DB708C52CB96

Function 0018910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001894E5
_wcslen.LIBCMT ref: 00189506
_wcslen.LIBCMT ref: 0018952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00189585

Strings

X, xrefs: 00189412

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 27f44d6240006606d84d3926f9fcff8d45de8b58d70c6f20e53bea4baeb7917f
Instruction ID: eb4d7d08c70d8e403d15f87f1f029fa9b68fbbe4be2b16f2f88c21c8d47e6457
Opcode Fuzzy Hash: 27f44d6240006606d84d3926f9fcff8d45de8b58d70c6f20e53bea4baeb7917f
Instruction Fuzzy Hash: 31E1A4315083409FC718EF24D881AAAB7E1BF95314F08856DF8999B2A2DB31EE45CF91

Function 0012920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

BeginPaint.USER32(?,?,?), ref: 00129241
GetWindowRect.USER32(?,?), ref: 001292A5
ScreenToClient.USER32(?,?), ref: 001292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001292D3
EndPaint.USER32(?,?,?,?,?), ref: 00129321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001671EA

Part of subcall function 00129339: BeginPath.GDI32(00000000), ref: 00129357

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 18047050891caa8f7a271e114fd2f75034ac1d683ac2211399633f3c0f5e0c41
Instruction ID: f3a03e7a1bfe1d93c705584c77a5c98987153e293adf436bdba33b145ec9056c
Opcode Fuzzy Hash: 18047050891caa8f7a271e114fd2f75034ac1d683ac2211399633f3c0f5e0c41
Instruction Fuzzy Hash: 0B41BD70204250AFD720DF68DC84FBA7BF8FB56724F040629F9948B2E2C7309895DBA1

Function 001807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0018080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00180847
EnterCriticalSection.KERNEL32(?), ref: 00180863
LeaveCriticalSection.KERNEL32(?), ref: 001808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00180921

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7c6684e7ebd6dc1e2728b46f1c34bda06703c0c0d81b4988465543f3ddf6a43a
Instruction ID: f60f9554629d1c440a2c51b83ec138165571efc589c43b240e6d7979449f6db0
Opcode Fuzzy Hash: 7c6684e7ebd6dc1e2728b46f1c34bda06703c0c0d81b4988465543f3ddf6a43a
Instruction Fuzzy Hash: 65414C71A00209EFDF15AF54DC85AAA77B8FF09310F1540B9ED04AA296D730DEA5DFA0

Function 001A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0016F3AB,00000000,?,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 001A824C
EnableWindow.USER32(?,00000000), ref: 001A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001A82D1
ShowWindow.USER32(?,00000004), ref: 001A82E5
EnableWindow.USER32(?,00000001), ref: 001A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001A832F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: cc5063c892f25912aec8bd8498c3d4b646d4b4abe607e27cd7036222cb55ad87
Instruction ID: 2aa4b29f83597f78a0269fc71a9122d52056b03681d4c736ab866fd04cbeb2e8
Opcode Fuzzy Hash: cc5063c892f25912aec8bd8498c3d4b646d4b4abe607e27cd7036222cb55ad87
Instruction Fuzzy Hash: F841A138601644EFDF25CF54D899BE87BF1BF0BB14F1841A9E6484F2A2CB31A881CB50

Function 00174C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00174C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00174CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00174CEA
_wcslen.LIBCMT ref: 00174D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00174D10
_wcsstr.LIBVCRUNTIME ref: 00174D1A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ee6a01d34e0e9170dc7ded2847c2d8fc1bd60a5ee673d08ed36754e095a49a54
Instruction ID: 5bb40ace1f1cb85292e98c5214e1903170ec0fe88aee89dfb08b346d52b99915
Opcode Fuzzy Hash: ee6a01d34e0e9170dc7ded2847c2d8fc1bd60a5ee673d08ed36754e095a49a54
Instruction Fuzzy Hash: 5B21D771204210BBEB269B79EC49EBB7BBCDF56760F11807DF80DCA191EB61DC4196A0

Function 0018581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2

_wcslen.LIBCMT ref: 0018587B
CoInitialize.OLE32(00000000), ref: 00185995
CoCreateInstance.OLE32(001AFCF8,00000000,00000001,001AFB68,?), ref: 001859AE
CoUninitialize.OLE32 ref: 001859CC

Strings

.lnk, xrefs: 00185876, 001858C1, 00185985

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fbd8c47094eb2d32b77916d8c4d04df8d15ba020eb0638f4a50878993dc622b2
Instruction ID: 45203284b0b464b2230eb994fd0dc7c51f993031a075a4b963476dd2dc27272f
Opcode Fuzzy Hash: fbd8c47094eb2d32b77916d8c4d04df8d15ba020eb0638f4a50878993dc622b2
Instruction Fuzzy Hash: 18D14475A086019FC718EF24C480A6ABBE2EF99714F14486DF8899B361D731EE45CF92

Function 0017175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00170FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00170FCA
Part of subcall function 00170FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00170FD6
Part of subcall function 00170FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00170FE5
Part of subcall function 00170FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00170FEC
Part of subcall function 00170FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00171002

GetLengthSid.ADVAPI32(?,00000000,00171335), ref: 001717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001717BA
HeapAlloc.KERNEL32(00000000), ref: 001717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001717DA
GetProcessHeap.KERNEL32(00000000,00000000,00171335), ref: 001717EE
HeapFree.KERNEL32(00000000), ref: 001717F5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6434c0b6b8c923757f04cd3027fb43dbac89dc0c62d6525ff2217ffd97b82b8f
Instruction ID: 602eb46951015a45c7275813d8f4950d76a57bddc8780772e31d437d222d8ad4
Opcode Fuzzy Hash: 6434c0b6b8c923757f04cd3027fb43dbac89dc0c62d6525ff2217ffd97b82b8f
Instruction Fuzzy Hash: 7E119072600205FFDB189FA8CD49BAF7BB9EF46355F10C018F44597210D735A984CBA0

Function 001714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00171506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00171515
CloseHandle.KERNEL32(00000004), ref: 00171520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0017154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00171563

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 697374fd56834e8d4284370ff45b77f9ccea9b8ee1ea8fc9012a4a443076d30b
Instruction ID: f79ab729a1f840a8f5147e87cb706244aaa59f4c3b0071c2d657eae0e3fff59d
Opcode Fuzzy Hash: 697374fd56834e8d4284370ff45b77f9ccea9b8ee1ea8fc9012a4a443076d30b
Instruction Fuzzy Hash: A9112976504209BBDF118F98DE49BDE7BB9EF49744F048015FA09A2160C3758EA4DBA0

Function 00133382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00133379,00132FE5), ref: 00133390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0013339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001333B7
SetLastError.KERNEL32(00000000,?,00133379,00132FE5), ref: 00133409

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 51387d2b4bdd3453a6084af9b943a1ef980867ba0b264b4baeaf6c543c169df7
Instruction ID: 0361914d7e5f495f6614d5e0e9e8c5c2d4439a959d2dc25685e0dd53be6851c5
Opcode Fuzzy Hash: 51387d2b4bdd3453a6084af9b943a1ef980867ba0b264b4baeaf6c543c169df7
Instruction Fuzzy Hash: 0A01D43360A312BEEA2927757CC6666AB95FB25379F20822AF430852F0EF114E45959C

Function 00142D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00145686,00153CD6,?,00000000,?,00145B6A,?,?,?,?,?,0013E6D1,?,001D8A48), ref: 00142D78
_free.LIBCMT ref: 00142DAB
_free.LIBCMT ref: 00142DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0013E6D1,?,001D8A48,00000010,00114F4A,?,?,00000000,00153CD6), ref: 00142DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0013E6D1,?,001D8A48,00000010,00114F4A,?,?,00000000,00153CD6), ref: 00142DEC
_abort.LIBCMT ref: 00142DF2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 107ff98270fdcb901be76dd4bf473389354796eb6190573a0c90078f6756afb4
Instruction ID: f53e79e74581891af96d2ebe00ca5d6160f5bf61735f5e8635641be5a267c08c
Opcode Fuzzy Hash: 107ff98270fdcb901be76dd4bf473389354796eb6190573a0c90078f6756afb4
Instruction Fuzzy Hash: 09F04C31D05A1167C61273B5BC0AF1F265ABFD27B0F650519F824D31F2EF7088C141A0

Function 001A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00129639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296A2
Part of subcall function 00129639: BeginPath.GDI32(?), ref: 001296B9
Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001A8A70
LineTo.GDI32(?,00000000,00000003), ref: 001A8A80
EndPath.GDI32(?), ref: 001A8A90
StrokePath.GDI32(?), ref: 001A8AA0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b2e04ccfa0a9b53d3f9d538051bb53270228fd49e6a0020886b7253b7e90d281
Instruction ID: 6d84b271374f59f5244ce0c19b6f00e3a3ac83f7f3db4ad8afa6c41267a4abbc
Opcode Fuzzy Hash: b2e04ccfa0a9b53d3f9d538051bb53270228fd49e6a0020886b7253b7e90d281
Instruction Fuzzy Hash: 41111B7A00014CFFDF129F94DC88EAA7F6CEB09354F008012BA199A5A1C7719D95DFA0

Function 001751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00175218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00175229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00175230
ReleaseDC.USER32(00000000,00000000), ref: 00175238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0017524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00175261

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 65885af72156d627211992919e95cd27926315d71fd8a763b028077bc8e4dbfa
Instruction ID: f3c25c3d88ce2fe4f65224416d8d66846f082e35149e6f7e9a3b89b06fce5c14
Opcode Fuzzy Hash: 65885af72156d627211992919e95cd27926315d71fd8a763b028077bc8e4dbfa
Instruction Fuzzy Hash: 2F014F75A00718BBEB109BA59C49A5EBFB9EB49751F044065FA08A7781D6709C00CBA0

Function 00111BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00111BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00111BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00111C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00111C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00111C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00111C22

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 13951068dc042801aa99f6873b555ab6b6ff04791f3969a0da53c4c956c5386a
Instruction ID: d117ab98a09e689fee3027a253f2e60b82a5aa80edc197e0cb47c8bd3e5e7006
Opcode Fuzzy Hash: 13951068dc042801aa99f6873b555ab6b6ff04791f3969a0da53c4c956c5386a
Instruction Fuzzy Hash: 2B016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C47A41C7F5A864CBE5

Function 0017EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0017EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0017EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0017EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB75

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 443e1bdf59117ef82cb0355ab71d6b99cdc65b1e269300fe3843b725185d0c23
Instruction ID: c3e34cd7768ebd92e546e67467334c32fb1e35e87afdc8a80336564aba1bfb96
Opcode Fuzzy Hash: 443e1bdf59117ef82cb0355ab71d6b99cdc65b1e269300fe3843b725185d0c23
Instruction Fuzzy Hash: 05F05E72240158BBE7219B629C0EEEF3E7CEFCBB11F004159F605D1591EBA05A41CAF5

Function 00167439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00167452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00167469
GetWindowDC.USER32(?), ref: 00167475
GetPixel.GDI32(00000000,?,?), ref: 00167484
ReleaseDC.USER32(?,00000000), ref: 00167496
GetSysColor.USER32(00000005), ref: 001674B0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 4cbfcb1fc273c867c19485bf48b9bb26a81e76a63756911961b77674390bf924
Instruction ID: 7de0dc9614101939074107e66a1d48b41d55f05a1f4daab36e702da7d819ddb8
Opcode Fuzzy Hash: 4cbfcb1fc273c867c19485bf48b9bb26a81e76a63756911961b77674390bf924
Instruction Fuzzy Hash: 20014B31500215EFDB519FA4DD08BEEBBB6FB05321F550164F919A25A1CF311E91AB90

Function 00171874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0017187F
UnloadUserProfile.USERENV(?,?), ref: 0017188B
CloseHandle.KERNEL32(?), ref: 00171894
CloseHandle.KERNEL32(?), ref: 0017189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001718A5
HeapFree.KERNEL32(00000000), ref: 001718AC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a2d56a6d5bb025462003362052c59db3a239f5ca7d8e48ffbe44ebe80b5c841d
Instruction ID: c53716c962698366f64d0a2bb616f4b536dba1c36b47ade87f176c2d493f4459
Opcode Fuzzy Hash: a2d56a6d5bb025462003362052c59db3a239f5ca7d8e48ffbe44ebe80b5c841d
Instruction Fuzzy Hash: 45E07576204505FBDB015FA5ED0C94ABF79FF4AB22B508625F22581871DB3294A1DF90

Function 0017C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0017C6EE
_wcslen.LIBCMT ref: 0017C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0017C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0017C7CA

Strings

0, xrefs: 0017C6AF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6627359e39cd70e50f88f66d744138a4e6c7276057aab0c25926a18b3fe6eb58
Instruction ID: 1070b78ace65f88988b536de3c9cb5edd5809bbe8ae0e4742d2389ab83f14f92
Opcode Fuzzy Hash: 6627359e39cd70e50f88f66d744138a4e6c7276057aab0c25926a18b3fe6eb58
Instruction Fuzzy Hash: D751E0716043419BD7189F28C885BAF77F8AF99314F048A2DF999E3290DB70D944CB92

Function 0019AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0019AEA3

Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625

GetProcessId.KERNEL32(00000000), ref: 0019AF38
CloseHandle.KERNEL32(00000000), ref: 0019AF67

Strings

@, xrefs: 0019AE72
<, xrefs: 0019AE6B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7d6685b27ad6fe53ef0e83a997e9ee95dcd2b87e9b8cff950b0129afa4cf2ad2
Instruction ID: 4e36e5fdaa8707bb64070ae9e5eb06aac5ce8799bf1dccef87ecc53bbaade7f3
Opcode Fuzzy Hash: 7d6685b27ad6fe53ef0e83a997e9ee95dcd2b87e9b8cff950b0129afa4cf2ad2
Instruction Fuzzy Hash: D5715570A00219DFCF18DF64D494A9EBBF1BF08314F4484A9E816AB792CB74ED85CB91

Function 0017719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00177206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0017723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0017724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001772CF

Strings

DllGetClassObject, xrefs: 00177242

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 027e784bad4b72cd3f37d7259198eb5b222be64a09ba879177c7ba29572b996e
Instruction ID: 208078b2e4ad228b5d3c40f7b7ec343983db9b014c11b71fe77a0b6fe8935b7f
Opcode Fuzzy Hash: 027e784bad4b72cd3f37d7259198eb5b222be64a09ba879177c7ba29572b996e
Instruction Fuzzy Hash: 6E416D71A04204EFDB15CF94C884A9A7BB9EF45310F15C0ADBD19DF28AD7B1DA45CBA0

Function 001A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A3E35
IsMenu.USER32(?), ref: 001A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A3E92
DrawMenuBar.USER32 ref: 001A3EA5

Strings

0, xrefs: 001A3D89

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: f3b3986fc1482eaeb77f19f99705dbb0c9135949acbcc6d6c71a7803e71b1aab
Instruction ID: 9210dcd4432f20451e6294e8f8443809c32fa477d272e9c932be06d0197fb78a
Opcode Fuzzy Hash: f3b3986fc1482eaeb77f19f99705dbb0c9135949acbcc6d6c71a7803e71b1aab
Instruction Fuzzy Hash: B6413B79A01209EFDB10DF50D884EEABBB5FF4A355F04412AF915AB250D730AE45CF90

Function 00171DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00171E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00171E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00171EA9

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

Strings

ListBox, xrefs: 00171E25
ComboBox, xrefs: 00171DF0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a2a5591eb3589b92d3d6a347df7fc420764d05523b7008d0d5d15c7695f23019
Instruction ID: e51fedaea1c5ee368080285af8d6f52ae4d7e36ad1cfeb9bda8bae35878324b9
Opcode Fuzzy Hash: a2a5591eb3589b92d3d6a347df7fc420764d05523b7008d0d5d15c7695f23019
Instruction Fuzzy Hash: 29217D71A00104BFDB199B68DC46CFFB7B9DF52350F108129F869A72E0DF344E469660

Function 0019C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019C9F1
_wcslen.LIBCMT ref: 0019CA68
_wcslen.LIBCMT ref: 0019CA9E
_wcslen.LIBCMT ref: 0019CAF9
_wcslen.LIBCMT ref: 0019CB2F
_wcslen.LIBCMT ref: 0019CB7F

Strings

HKLM, xrefs: 0019CA98, 0019CA9D
HKEY_LOCAL_MACHINE, xrefs: 0019CA62, 0019CA67

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: e2ffd6c0f7071dc3fc280501776d1e80dbb28ddcf5eb8c06904b759d848ed8fb
Instruction ID: fdb9b418ef6e1c87edf9ee1cc7986200c15acbe277b5199b0e276535fd88877b
Opcode Fuzzy Hash: e2ffd6c0f7071dc3fc280501776d1e80dbb28ddcf5eb8c06904b759d848ed8fb
Instruction Fuzzy Hash: 9A31E673A0016A4BCF20DF6C99501BE33915BB1764B55402AE895AB385F771CD80D3E0

Function 001A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001A2F8D
LoadLibraryW.KERNEL32(?), ref: 001A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001A2FA9
DestroyWindow.USER32(?), ref: 001A2FB1

Strings

SysAnimate32, xrefs: 001A2F68

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f1279b4d41a5647d4c5b7962bea58cf52813e6ff831fae4b9e6dd19fe0bc525b
Instruction ID: 7afc26ba616c2c042091c49c1687e5497d2653a33db8e431177f6df2e7c4b936
Opcode Fuzzy Hash: f1279b4d41a5647d4c5b7962bea58cf52813e6ff831fae4b9e6dd19fe0bc525b
Instruction Fuzzy Hash: 03219D75204209AFEB108FA8DC80FBB77BDEB5A364F104629F950D7190D771DC9197A0

Function 00134D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00134D1E,001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002), ref: 00134D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00134DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00134D1E,001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000), ref: 00134DC3

Strings

CorExitProcess, xrefs: 00134D98
mscoree.dll, xrefs: 00134D86

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c151747727c8d0700f09768eff38435a7df5a101688427f7eb41ff4ccebd2c4
Instruction ID: 5169bb528f494611cec6277fb7fd43f06b0ba1a2007092816823617cbc3d78fa
Opcode Fuzzy Hash: 4c151747727c8d0700f09768eff38435a7df5a101688427f7eb41ff4ccebd2c4
Instruction Fuzzy Hash: 26F03C35A40208ABDB119B94DC49BEEBFE5EF58751F0001A8F806A2660CB70AA80CAD0

Function 0016D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0016D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0016D3BF
FreeLibrary.KERNEL32(00000000), ref: 0016D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0016D3B9
X64, xrefs: 0016D2A8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: a2d56c9a3d889a7e225b576355e5b3c79f115c93d0a44fe43c6565e903ab15b0
Instruction ID: b53eca15dfdeabbaf08bd1b2582939b625a2d1927e3499a380bb04fc1e6a3523
Opcode Fuzzy Hash: a2d56c9a3d889a7e225b576355e5b3c79f115c93d0a44fe43c6565e903ab15b0
Instruction Fuzzy Hash: 5AF055B1F05A21DBD7751722AC289AD7720BF02B01F56809DF802F6210DB60CDA086C2

Function 00114E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00114EAE
FreeLibrary.KERNEL32(00000000,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EC0

Strings

kernel32.dll, xrefs: 00114E94
Wow64DisableWow64FsRedirection, xrefs: 00114EA8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: dc12808c9dbea617572c4192bc3d6c2b2fbb51e9e548cf56531c707ee477a719
Instruction ID: cb5daae160769d23131af17cf43b7f6b44f530ce2a7b13a796550195333f495e
Opcode Fuzzy Hash: dc12808c9dbea617572c4192bc3d6c2b2fbb51e9e548cf56531c707ee477a719
Instruction Fuzzy Hash: 1EE0CD35B035229BD23517257C18BDF6594AF83F62B050125FC04D2200DB64CD8148F5

Function 00114E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00114E74
FreeLibrary.KERNEL32(00000000,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00114E6E
kernel32.dll, xrefs: 00114E5B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 1ecc454328c9c4cedf1d860ed00baac2e2422dc35a72ef71fe52c83a3c35536f
Instruction ID: f2fe222de1193058b025c70a5c4e84a099d9fd26523618bedd9ea0c298ddd951
Opcode Fuzzy Hash: 1ecc454328c9c4cedf1d860ed00baac2e2422dc35a72ef71fe52c83a3c35536f
Instruction Fuzzy Hash: BED0123560362297A6261B257C18DCB6A58AF87F513050625F905E2114CF65CD8285E0

Function 00182947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182C05
DeleteFileW.KERNEL32(?), ref: 00182C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00182C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182CC0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 78715b94d8a75f8b094393659fd7f28ba787abb87c06bbeb0957330f815c8833
Instruction ID: c7a1905a3900b20c0f312a31379bf22a6aba784fa77e129e0c5bde08594ce960
Opcode Fuzzy Hash: 78715b94d8a75f8b094393659fd7f28ba787abb87c06bbeb0957330f815c8833
Instruction Fuzzy Hash: 21B15D71901119ABDF26EBA4CC85EEEBBBDEF59310F1040A6F509E7141EB319B448FA1

Function 0019A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0019A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0019A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0019A468
CloseHandle.KERNEL32(?), ref: 0019A63D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 23f0de10aef7c9c359b79a2b366a60f651be27cd2f1b8acb54a140a987eee029
Instruction ID: 329f021a98a9c3e7fbaa3ceb243bb08fd1adef4eddf1deef818793e50c617590
Opcode Fuzzy Hash: 23f0de10aef7c9c359b79a2b366a60f651be27cd2f1b8acb54a140a987eee029
Instruction Fuzzy Hash: 2CA1B1716043019FDB24DF28D886F2AB7E1AF98714F54881CF95A9B2D2DB70EC45CB92

Function 0017E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0017CF22,?), ref: 0017DDFD

Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0017CF22,?), ref: 0017DE16

Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A

lstrcmpiW.KERNEL32(?,?), ref: 0017E473
MoveFileW.KERNEL32(?,?), ref: 0017E4AC
_wcslen.LIBCMT ref: 0017E5EB
_wcslen.LIBCMT ref: 0017E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0017E650

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e7c7af93001393851700d0735fad5c5c1272af60b8c2d348858cd2d76b177d0b
Instruction ID: 4a3bc3065be3ec81708230e4f512721723e43c094e4f507704859013181d98fa
Opcode Fuzzy Hash: e7c7af93001393851700d0735fad5c5c1272af60b8c2d348858cd2d76b177d0b
Instruction Fuzzy Hash: 8F5185B24083459BC724DB94DC919DF73ECAF99340F00496EF689D3191EF74A688C766

Function 0019B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0019BB63
RegCloseKey.ADVAPI32(?,?), ref: 0019BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0019BBB3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4b85d8fced51de4af793dfbf3c93125021d1c3ed2de0939e5c95b756e3ed5b67
Instruction ID: 6bc405c74f12cccfcd4d696a35af43dd3e59ae2fe6ab5123816654408287d77d
Opcode Fuzzy Hash: 4b85d8fced51de4af793dfbf3c93125021d1c3ed2de0939e5c95b756e3ed5b67
Instruction Fuzzy Hash: 2E61A131208241AFD718DF14D5D0E6ABBE5FF84308F54856CF49A8B2A2DB31ED85CB92

Function 00178BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00178BCD
VariantClear.OLEAUT32 ref: 00178C3E
VariantClear.OLEAUT32 ref: 00178C9D
VariantClear.OLEAUT32(?), ref: 00178D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00178D3B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: d709864343c1ce38dda7e7d63e60ad1a144c639499e4a56c88177a003f892423
Instruction ID: fbaafb8666ca04716ea70881d578bda79fe6898c9fd58e2546f6c9e79c7f5a6a
Opcode Fuzzy Hash: d709864343c1ce38dda7e7d63e60ad1a144c639499e4a56c88177a003f892423
Instruction Fuzzy Hash: BD5149B5A00619EFCB14CF68C894AAAB7F9FF8D314B158559E909DB350E730E911CFA0

Function 00188AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00188BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00188BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00188C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00188C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00188C5F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5633abc7f04c374cd2e9867916b2a3fbd3f626e14dac27bb5b700f3663a29891
Instruction ID: 5084ae3a77622c228d9f022aeb318074908c26ed813e23acdcf669e617373988
Opcode Fuzzy Hash: 5633abc7f04c374cd2e9867916b2a3fbd3f626e14dac27bb5b700f3663a29891
Instruction Fuzzy Hash: 9B514F35A002159FCB05DF64C881AADBBF5FF49314F088469E849AB3A2DB31ED51CF90

Function 00198EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00198F40
GetProcAddress.KERNEL32(00000000,?), ref: 00198FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00198FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00199032
FreeLibrary.KERNEL32(00000000), ref: 00199052

Part of subcall function 0012F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00181043,?,753CE610), ref: 0012F6E6
Part of subcall function 0012F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0016FA64,00000000,00000000,?,?,00181043,?,753CE610,?,0016FA64), ref: 0012F70D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d8023cec3d193c260257fb6c956c2fe75fbf160226130cd7fb68c5530fef5c46
Instruction ID: 207e1cb31a6a1402112e723ea1c0512f723baee943e99d33cbcc3c81ca4c1748
Opcode Fuzzy Hash: d8023cec3d193c260257fb6c956c2fe75fbf160226130cd7fb68c5530fef5c46
Instruction Fuzzy Hash: 23515A34604205DFCB15DF68C4949ADBBF1FF5A314F0980A8E81A9B362DB31ED86CB91

Function 001A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0018AB79,00000000,00000000), ref: 001A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001A6CC7

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0710f663e266289a01f38d935de1ba5efd14020e89c20a5d2742c8d58f6619de
Instruction ID: 9401b0a6f2dbb533c61b1602ef4d1b7d3322c8831d4c754ef9619fe2e05346c4
Opcode Fuzzy Hash: 0710f663e266289a01f38d935de1ba5efd14020e89c20a5d2742c8d58f6619de
Instruction Fuzzy Hash: 0441C339A04104AFD724DF68CC58FA97BA5EB0B370F190228F899A72E5C771ED41DA90

Function 00142051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001420C3
_free.LIBCMT ref: 001420E3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 09b16b00de926033f2159519bd0d8702e27c513b85d970aeda2b445da6ccf64c
Instruction ID: cf1b5b6bba9ba27853b0a2fb7d2820e68ee4f27c6796f378dafbd2a90191fb12
Opcode Fuzzy Hash: 09b16b00de926033f2159519bd0d8702e27c513b85d970aeda2b445da6ccf64c
Instruction Fuzzy Hash: 58410332A002009FCB24DF78C880A5EB7F5EF89714F5645A9F615EB3A6DB71AD41CB80

Function 0012912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00129141
ScreenToClient.USER32(00000000,?), ref: 0012915E
GetAsyncKeyState.USER32(00000001), ref: 00129183
GetAsyncKeyState.USER32(00000002), ref: 0012919D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3c6a0c31a9d0934a3b6a00ad1cb7258f62b7242186a549774906c56997f60200
Instruction ID: 607314dec3112b890e866ef6a241975a4418cea0f1ebf1fb931f63bd866e529a
Opcode Fuzzy Hash: 3c6a0c31a9d0934a3b6a00ad1cb7258f62b7242186a549774906c56997f60200
Instruction Fuzzy Hash: 80414071A0861ABBDF199F69DC44BEEB774FB16334F208216E429A72D0C7345960CB91

Function 00183874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00183922
TranslateMessage.USER32(?), ref: 0018394B
DispatchMessageW.USER32(?), ref: 00183955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00183966

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: bf57bb15de947d919a3d6c60eb40452b1ad50387d060216e7f6f3a99f5e7f783
Instruction ID: 6f8af859616af53156ff7863abb4f5789fa498b2b8e8bd353c6c08127960d96c
Opcode Fuzzy Hash: bf57bb15de947d919a3d6c60eb40452b1ad50387d060216e7f6f3a99f5e7f783
Instruction Fuzzy Hash: 8231A670D04381AEEB35EB74D848BBA37A8AB16B08F0C056DE476865A0E7B497C5CF51

Function 0018CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0018C21E,00000000), ref: 0018CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0018CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFF2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bf4c0cf554cbeb0cc1d5fe62ce6a7eab1381eb6ab8fd420463592ac37cd627cd
Instruction ID: 020e36c2fb1733599969d5396e01073bb054b3aba009ff140f07a2981e20cbe8
Opcode Fuzzy Hash: bf4c0cf554cbeb0cc1d5fe62ce6a7eab1381eb6ab8fd420463592ac37cd627cd
Instruction Fuzzy Hash: 47315C71604205EFEB24EFA5D884AABBBFAEF15354B10442EF616D2540DB30AE41DFA0

Function 00171901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00171915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001719E2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f705148fbb14b2e1d0ee0d0d26b30f39ec8a4b6031a4d05e0d80b6e07db8e57a
Instruction ID: d2326f3d98b794c1c3cdcafa0208fa60ab91e243f52d63b196ae7f395c47dff4
Opcode Fuzzy Hash: f705148fbb14b2e1d0ee0d0d26b30f39ec8a4b6031a4d05e0d80b6e07db8e57a
Instruction Fuzzy Hash: 4331B171A00219EFCB14CFACCD99ADE3BB5EB45319F108225FA25A72D1C7709945CB90

Function 001A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001A579D
_wcslen.LIBCMT ref: 001A57AF
_wcslen.LIBCMT ref: 001A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001A5816

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 79f988bc7191b8ac11c4ef3700ac83f5e86b6be119b33e26275b1ef01ee6a174
Instruction ID: 5ecaa441cfd59ad331edd5e9dbeb67385f1003f6cd987a621441a15603ce5837
Opcode Fuzzy Hash: 79f988bc7191b8ac11c4ef3700ac83f5e86b6be119b33e26275b1ef01ee6a174
Instruction Fuzzy Hash: 58219979908618DADB20DFA0CC85AEE7779FF16724F504116F919EB1C0E7709985CF90

Function 00190930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00190951
GetForegroundWindow.USER32 ref: 00190968
GetDC.USER32(00000000), ref: 001909A4
GetPixel.GDI32(00000000,?,00000003), ref: 001909B0
ReleaseDC.USER32(00000000,00000003), ref: 001909E8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 422428576dcd9bc099d39b70b7631f663a7f344264108178b2955e4a1320b1de
Instruction ID: ce7c223f3b8de25d00eb98c5281f67b275a0d317b149b228d90e252c6250d422
Opcode Fuzzy Hash: 422428576dcd9bc099d39b70b7631f663a7f344264108178b2955e4a1320b1de
Instruction Fuzzy Hash: 3C218136600204AFD704EF65DD84AAEBBE9EF59704F048468E84AE7752DB30AD44CB90

Function 0014CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0014CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014CDE9

Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0014CE0F
_free.LIBCMT ref: 0014CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014CE31

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 79b906b098c46af5ec734431a63f53952745bce8152ad22e124d288a42503d66
Instruction ID: 58d57a7dad6a72853cbb4f1f5e9bb0f6f585c25936212b76d8c1930e145fe856
Opcode Fuzzy Hash: 79b906b098c46af5ec734431a63f53952745bce8152ad22e124d288a42503d66
Instruction Fuzzy Hash: 920144726036157F276117BA6C88D7B6D6DEFC7BA13150129F905E7221EF618D0291F0

Function 00129639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
SelectObject.GDI32(?,00000000), ref: 001296A2
BeginPath.GDI32(?), ref: 001296B9
SelectObject.GDI32(?,00000000), ref: 001296E2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5419427c8b2fb382f7fbd7f0f2d4d9bbb08cec1c13c16e0052bd395a04db1e33
Instruction ID: 966a024a15b9f57f682644204a42f88436ba929bd5c5f052a9df45afeda75b94
Opcode Fuzzy Hash: 5419427c8b2fb382f7fbd7f0f2d4d9bbb08cec1c13c16e0052bd395a04db1e33
Instruction Fuzzy Hash: AB219270902395FFDB119FA8FC48BAD3BA9BB11319F100216F410AA5B2D37458E5CF90

Function 00175711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00175726
_memcmp.LIBVCRUNTIME ref: 00175744
_memcmp.LIBVCRUNTIME ref: 00175757
_memcmp.LIBVCRUNTIME ref: 0017576F
_memcmp.LIBVCRUNTIME ref: 00175787

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a2f83e33edc7a12a1e51ca6909d19bb54581737c18a12063fbea658730938ce8
Instruction ID: 1d745015e35dd83a50eeb76f63d7f97ebe183106621f396a0199618396a8c375
Opcode Fuzzy Hash: a2f83e33edc7a12a1e51ca6909d19bb54581737c18a12063fbea658730938ce8
Instruction Fuzzy Hash: CC0152A5641609BAE30C55119D83FBA736EAB613A5F848025FD089A642F7B1ED1182B1

Function 00142DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0013F2DE,00143863,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6), ref: 00142DFD
_free.LIBCMT ref: 00142E32
_free.LIBCMT ref: 00142E59
SetLastError.KERNEL32(00000000,00111129), ref: 00142E66
SetLastError.KERNEL32(00000000,00111129), ref: 00142E6F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: de9b30ce640e86cafe95ea3416c8748f18b1c31800f910e40673e3284baac510
Instruction ID: 8a0846a6462d0d901cff0730eb942cb036763c9cb9408525fe09b4a3e810078f
Opcode Fuzzy Hash: de9b30ce640e86cafe95ea3416c8748f18b1c31800f910e40673e3284baac510
Instruction Fuzzy Hash: F401F432206A0167CA2267756C85D2F266AAFE23B5BE50529F425F22B2EF70CCC18160

Function 0017000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?,?,0017035E), ref: 0017002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?), ref: 00170064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170070

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b4f3160647a338efa1472cf8bd490e31800d6bdde4a93c429072061ec7a38ec9
Instruction ID: 2924653b4258aa47c63047502356423e73936db31b55e6f6b3a68ddde986e703
Opcode Fuzzy Hash: b4f3160647a338efa1472cf8bd490e31800d6bdde4a93c429072061ec7a38ec9
Instruction Fuzzy Hash: C3014F76600314FFDB124F69DC44BAA7AFDEF487A1F148128F909D6211D775DD809BA0

Function 0017E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0017E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0017E9A5
Sleep.KERNEL32(00000000), ref: 0017E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0017E9B7
Sleep.KERNEL32 ref: 0017E9F3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7ee580e28a422a7b69e434ccb15f8b24772a17f7a816e542ccc8ffbf76933082
Instruction ID: 2ea664416bc370e938c7252799d5331969127aa392d632dddd6ffcd4cabb74f2
Opcode Fuzzy Hash: 7ee580e28a422a7b69e434ccb15f8b24772a17f7a816e542ccc8ffbf76933082
Instruction Fuzzy Hash: 36011B32D01529DBCF009FE5D859AEDBBB8BF0E705F014596E606B2241CB349595CBA1

Function 001710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a45911750ef0f135f4bea5cbd65ba37fa7baaa09bd0e31f3f32736de8d8a0c36
Instruction ID: 67458dad71b86472dc9e403b870751fe7bb0e4a0fc32497cab2705768707c42c
Opcode Fuzzy Hash: a45911750ef0f135f4bea5cbd65ba37fa7baaa09bd0e31f3f32736de8d8a0c36
Instruction Fuzzy Hash: A7013C79200205BFDB114FA9DC49E6A3F7EEF8A3A0B644419FA45D7360DB31DD409EA0

Function 00170FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00170FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00170FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00170FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00170FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00171002

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e00eaeff1feaaa32cd0f1f9022f79e91703435d563d58dec4346cbfe4d7f62a
Instruction ID: ff56d3d24cc5d95b74f6ed50dcaecd09145d5b2c6174722eb4e7b1038fa88a1a
Opcode Fuzzy Hash: 4e00eaeff1feaaa32cd0f1f9022f79e91703435d563d58dec4346cbfe4d7f62a
Instruction Fuzzy Hash: 06F04939200301FBDB214FA89C49F563BADEF8A762F204414FA49C6251DE70DC908AA0

Function 00171014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0017102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00171036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0017104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171062

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f3e6c16992c5ab67d0b81593a70e1cd7e8f5f99194c0c2c98fc18fe96649415c
Instruction ID: bc71f2625b8bb6b21b4a6ff9b4e387330444d30c5b32ca0b4bae0bfe60d7925d
Opcode Fuzzy Hash: f3e6c16992c5ab67d0b81593a70e1cd7e8f5f99194c0c2c98fc18fe96649415c
Instruction Fuzzy Hash: 30F06D39200301FBDB215FA8EC49F563BADFF8A761F204814FA49C7250DF70D8908AA0

Function 0018030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180324
CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180331
CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 0018033E
CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 0018034B
CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180358
CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180365

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0165e27ba4e602321bcb64dda1d7110376cc20afe78ed0ba153412cd2c24f72
Instruction ID: 8f2509d6045e8451a7850e31a8b81036201b77d9f3001ef74bda79bf5d677f3f
Opcode Fuzzy Hash: c0165e27ba4e602321bcb64dda1d7110376cc20afe78ed0ba153412cd2c24f72
Instruction Fuzzy Hash: 1C01AE72801B19DFCB31AF66D880812FBF9BF643153158A3FD19652931C7B1AA98DF80

Function 0014D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0014D752

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

_free.LIBCMT ref: 0014D764
_free.LIBCMT ref: 0014D776
_free.LIBCMT ref: 0014D788
_free.LIBCMT ref: 0014D79A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd190dc136e5ace80602a9015dc3d48ad4edb82adf9a98f0031d902f07f30b7c
Instruction ID: 4f2a5a596cecf4d918e432776660deb8249cbfe358d26ea9386a0b852e25869c
Opcode Fuzzy Hash: bd190dc136e5ace80602a9015dc3d48ad4edb82adf9a98f0031d902f07f30b7c
Instruction Fuzzy Hash: B0F09633542215AB8A25EB65F9C2C167BDDBB043197D40C06F048D7921C730FCC0C6A0

Function 00175C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00175C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00175C6F
MessageBeep.USER32(00000000), ref: 00175C87
KillTimer.USER32(?,0000040A), ref: 00175CA3
EndDialog.USER32(?,00000001), ref: 00175CBD

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5ded3eb9e3054265b1a8a59981d05a97c4beba3242a6190a5f1dd50e38df6c7c
Instruction ID: 3bd448da768c416eb9284012dc8f13e086afeb047bbf1d177cf2752553939452
Opcode Fuzzy Hash: 5ded3eb9e3054265b1a8a59981d05a97c4beba3242a6190a5f1dd50e38df6c7c
Instruction Fuzzy Hash: A901A430500B04ABEB259B10DD4EFA677BDBF11B05F044569B58BA15E1DBF0A9C4CBD0

Function 001422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001422BE

Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0

_free.LIBCMT ref: 001422D0
_free.LIBCMT ref: 001422E3
_free.LIBCMT ref: 001422F4
_free.LIBCMT ref: 00142305

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24ffc6d5c0bf9248f3acafcb99116908732f1f171f8beb347187701e21913ece
Instruction ID: 602dac77da5ccc51ba6bb08709df9271aae7c11f97a282c9708936895d792918
Opcode Fuzzy Hash: 24ffc6d5c0bf9248f3acafcb99116908732f1f171f8beb347187701e21913ece
Instruction Fuzzy Hash: 1BF01D708021A2AB9A13AFD5EC8180C3B64F728B607900507F410DB671C77118D2AEE4

Function 001295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001295D4
StrokeAndFillPath.GDI32(?,?,001671F7,00000000,?,?,?), ref: 001295F0
SelectObject.GDI32(?,00000000), ref: 00129603
DeleteObject.GDI32 ref: 00129616
StrokePath.GDI32(?), ref: 00129631

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f7814ae4c2bfac13059074e253c1e49cdf8b75947764e4a4f91da297df80e49c
Instruction ID: 882865ad8f90f97e2cdb7db75a85adc071538c29d39c6dbe05d634d8b1ef0503
Opcode Fuzzy Hash: f7814ae4c2bfac13059074e253c1e49cdf8b75947764e4a4f91da297df80e49c
Instruction Fuzzy Hash: F2F04F34005344FBDB165FA9ED5C7683FA1BB02326F048214F425598F2CB3489E5DF60

Function 00140F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001410F9
__freea.LIBCMT ref: 00141117

Part of subcall function 00141537: _free.LIBCMT ref: 0014154F

Strings

am/pm, xrefs: 0014117A
a/p, xrefs: 001411DE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a7a3582eed02333fb7d4fd95b6da0c68f5a70339006e8408c674361bb4bc1e5c
Instruction ID: aa8d0541b16c365589a806f8fbd611369897366b417dae10b0650a1f9d30020e
Opcode Fuzzy Hash: a7a3582eed02333fb7d4fd95b6da0c68f5a70339006e8408c674361bb4bc1e5c
Instruction Fuzzy Hash: 5DD12331A10206FACB289F68C895BFEBBB1FF05720F294119E915AB670D3759DC0CB91

Function 00197B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00130242: EnterCriticalSection.KERNEL32(001E070C,001E1884,?,?,0012198B,001E2518,?,?,?,001112F9,00000000), ref: 0013024D
Part of subcall function 00130242: LeaveCriticalSection.KERNEL32(001E070C,?,0012198B,001E2518,?,?,?,001112F9,00000000), ref: 0013028A

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 001300A3: __onexit.LIBCMT ref: 001300A9

__Init_thread_footer.LIBCMT ref: 00197BFB

Part of subcall function 001301F8: EnterCriticalSection.KERNEL32(001E070C,?,?,00128747,001E2514), ref: 00130202
Part of subcall function 001301F8: LeaveCriticalSection.KERNEL32(001E070C,?,00128747,001E2514), ref: 00130235

Strings

Variable must be of type 'Object'., xrefs: 00197C3A
G, xrefs: 00197C7F
5, xrefs: 00197C78

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: dca4a738b614174ab6461e871b9c5329a4108de6033fac412ed43835f4000266
Instruction ID: e1a2a799c002adc555b0a5a928a499954b5dd06be4a955ecf2b8633810de4513
Opcode Fuzzy Hash: dca4a738b614174ab6461e871b9c5329a4108de6033fac412ed43835f4000266
Instruction Fuzzy Hash: 02918A74A14209EFCF09EF94D9919ADB7F2FF59300F148059F806AB292DB71AE81CB51

Function 00172716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0017B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001721D0,?,?,00000034,00000800,?,00000034), ref: 0017B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00172760

Part of subcall function 0017B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0017B3F8

Part of subcall function 0017B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0017B355
Part of subcall function 0017B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00172194,00000034,?,?,00001004,00000000,00000000), ref: 0017B365
Part of subcall function 0017B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00172194,00000034,?,?,00001004,00000000,00000000), ref: 0017B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0017281A

Strings

@, xrefs: 00172832

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: bf464eb8b045a80cf1a54e60d22d922bb0838be579986a203943f5823fe1b09a
Instruction ID: ebf185b9fe54df90cc8f83c163beb255ad0330313fa4653ef5aac8cfd31679a3
Opcode Fuzzy Hash: bf464eb8b045a80cf1a54e60d22d922bb0838be579986a203943f5823fe1b09a
Instruction Fuzzy Hash: D6411D72900218AFDB10DBA4CD85BDEBBB8AF15700F108095FA59B7181DB716E85CBA1

Function 0014172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00141769
_free.LIBCMT ref: 00141834
_free.LIBCMT ref: 0014183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00141760, 00141767, 00141796, 001417CE

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 1ec7deb86a97f0d44c779427d8b6495c2c1bbfa17046cc1c3148b634e6d9f576
Instruction ID: afa4a80e3ed9f0630f3b9ac93f268f099262a9d38de1026897a6e4deb24229da
Opcode Fuzzy Hash: 1ec7deb86a97f0d44c779427d8b6495c2c1bbfa17046cc1c3148b634e6d9f576
Instruction Fuzzy Hash: B1318C71A40259FBDB21DB99DC81D9EBBFCEB99310B24416AF9049B221D7708AC0CB90

Function 0017C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0017C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0017C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001E1990,010756D8), ref: 0017C395

Strings

0, xrefs: 0017C2DF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a697141184a4ceaef9da81332e625d48a85447212fd81fee845bb527718370f4
Instruction ID: 652c4f973c6ab3a948b65daf3c5d0bfaf752bd3302faa94058d23c7da06e7187
Opcode Fuzzy Hash: a697141184a4ceaef9da81332e625d48a85447212fd81fee845bb527718370f4
Instruction Fuzzy Hash: 5B418E712083019FD724DF25D884B6ABBF4BF95320F14CA1DF9A9972D1D730A904CBA2

Function 001A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ACC08,00000000,?,?,?,?), ref: 001A44AA
GetWindowLongW.USER32 ref: 001A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A44D7

Strings

SysTreeView32, xrefs: 001A447C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 13747953a538d892f149e29b4402a954a272ca50e9da759a6da15678c905c56e
Instruction ID: b9ea282f645e49eadf7436dcd4d98f7778022ad3efc2c23c22e1594a57018479
Opcode Fuzzy Hash: 13747953a538d892f149e29b4402a954a272ca50e9da759a6da15678c905c56e
Instruction Fuzzy Hash: 0B31A035210605AFDF248F78DC45BEA7BA9EB4A334F204725F979921D0D7B0EC909B90

Function 0019304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0019335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00193077,?,?), ref: 00193378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
_wcslen.LIBCMT ref: 0019309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00193106

Strings

255.255.255.255, xrefs: 00193095, 0019309A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0da5b0b4205ca88920c322217aac7defca95dfa5d217b956a4d6cbb908399b2a
Instruction ID: 1234ed9bbdfa54661cca761e43d4db7dd4a117c1ea0dfb85d75cb1c3809e5634
Opcode Fuzzy Hash: 0da5b0b4205ca88920c322217aac7defca95dfa5d217b956a4d6cbb908399b2a
Instruction Fuzzy Hash: F631D5356002059FCF24CF68C585EAA77E0EF55318F298069E9258B3A2D731EE45C760

Function 001A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001A3F78

Strings

SysMonthCal32, xrefs: 001A3F0B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 740103cb112d98fef78711e5da9f14930236749d15e130ebcb6194b989d65bea
Instruction ID: b3cd4c30606e5a2df470da19edf8b127581002cdb41a187a578db694d99ae592
Opcode Fuzzy Hash: 740103cb112d98fef78711e5da9f14930236749d15e130ebcb6194b989d65bea
Instruction Fuzzy Hash: 69219F36610219BFDF258F94CC46FEA3BB5EB49714F110215FA19AB1D0D7B1AD90CB90

Function 001A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001A471A

Strings

msctls_updown32, xrefs: 001A4684

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9e1f54619770be56da6e5b9e24fccb3494c50a84923f134036e16436fba88f22
Instruction ID: 6cea7fffd81dabea54b260a4ec509b7cdd02d0c23805a0d85d174c12ad135714
Opcode Fuzzy Hash: 9e1f54619770be56da6e5b9e24fccb3494c50a84923f134036e16436fba88f22
Instruction Fuzzy Hash: 282151B9600244AFDB10DF68DCC1DBB37ADEB9B398B040059F9049B361DB71EC51CAA0

Function 001795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0017961D

Strings

#notrayicon, xrefs: 001795B7
#OnAutoItStartRegister, xrefs: 001795F3
#requireadmin, xrefs: 001795D9

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 10a86e860d871c4d860a3dc2e831b63b35c90d8658128965ef6dcf391ed1b0c6
Instruction ID: 79a508e94f3a120b64f6f02499979f36c158fbb8d94cd77d40d6d37f278e19af
Opcode Fuzzy Hash: 10a86e860d871c4d860a3dc2e831b63b35c90d8658128965ef6dcf391ed1b0c6
Instruction Fuzzy Hash: E821577220422166D335AB259C02FFB73F89FA5310F10813AF94D97181EB51AD8AC2E5

Function 001A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001A3876

Strings

Listbox, xrefs: 001A380F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c2ecb116cac91506e74ca7f3604ca4c98c33ae176cbef4bb35bb158280b18a0a
Instruction ID: e783e22c91a0dbbcae45159c4d9be0446c6e5a7d7b20bad28bd8674e354a9706
Opcode Fuzzy Hash: c2ecb116cac91506e74ca7f3604ca4c98c33ae176cbef4bb35bb158280b18a0a
Instruction Fuzzy Hash: 1E218076610118BBEB118F94CC85FBB376AEF8A750F118125F9159B190CB75DC5187A0

Function 001849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00184A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00184A5C
SetErrorMode.KERNEL32(00000000,?,?,001ACC08), ref: 00184AD0

Strings

%lu, xrefs: 00184A6F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 3d4652a17ab411b464d2529ddd2c3c6459c9b4f0cc30d0bfb5aec0e26aabaa59
Instruction ID: bd203db405f7a98335ff94beb02af4e6e7231b2d01d941c02079843e8a28b64c
Opcode Fuzzy Hash: 3d4652a17ab411b464d2529ddd2c3c6459c9b4f0cc30d0bfb5aec0e26aabaa59
Instruction Fuzzy Hash: 51313075A00109AFD714DF54C885EAA7BF8EF09308F1480A5E909DF352DB71EE45CBA1

Function 001A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001A4271

Strings

msctls_trackbar32, xrefs: 001A4226

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bdbb103a45fed9b2d66b824e996d81520ceff6f9e491662c04a3309a5555213f
Instruction ID: 04df9c546541e4f663646a62901bdac7bbb964781c301832db63a3e4bf7ba405
Opcode Fuzzy Hash: bdbb103a45fed9b2d66b824e996d81520ceff6f9e491662c04a3309a5555213f
Instruction Fuzzy Hash: 3211E035240248BFEF219E68DC46FAB3BACEF96B64F010125FA55E60A0D7B1DC519B60

Function 00172F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A

Part of subcall function 00172DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00172DC5
Part of subcall function 00172DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00172DD6
Part of subcall function 00172DA7: GetCurrentThreadId.KERNEL32 ref: 00172DDD
Part of subcall function 00172DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00172DE4

GetFocus.USER32 ref: 00172F78

Part of subcall function 00172DEE: GetParent.USER32(00000000), ref: 00172DF9

GetClassNameW.USER32(?,?,00000100), ref: 00172FC3
EnumChildWindows.USER32(?,0017303B), ref: 00172FEB

Strings

%s%d, xrefs: 00172FFF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e894cdb6be6aa8eb81076d4a46349f7e2ca4d469c973df3f7027d8f6685ee5f3
Instruction ID: c24bcc6324bc5b3dbb55552a0d51c5fd93704d8465f6a3127f1d42b073d821b4
Opcode Fuzzy Hash: e894cdb6be6aa8eb81076d4a46349f7e2ca4d469c973df3f7027d8f6685ee5f3
Instruction Fuzzy Hash: 521190756002056BCF15AFA0CC85EEE377AAFA5314F048079F91D9B252DF319A469B60

Function 001A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001A58EE
DrawMenuBar.USER32(?), ref: 001A58FD

Strings

0, xrefs: 001A588F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 980fbeace6e7819e52b1bbbcdeb9f2b0a22aa81c2c52ab7c301a4b1c86880342
Instruction ID: fbcb506cfa3fe229231756778847271da591c3caca0a5bd6d7aae7ed20cd9785
Opcode Fuzzy Hash: 980fbeace6e7819e52b1bbbcdeb9f2b0a22aa81c2c52ab7c301a4b1c86880342
Instruction Fuzzy Hash: 6501C035604218EFDB219F11EC44BAFBBB5FF46360F0080A9F848DA152EB308A94DF60

Function 0017007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bccd4cc8d34667ae2f7e5feb2d3e5e518c98d17dc5ac8ec5e62545eea5f98c
Instruction ID: b99c759edbeb4d3e1ebef7d9a44ee4eeeefe3115517c4cb7d9145598332203b0
Opcode Fuzzy Hash: 04bccd4cc8d34667ae2f7e5feb2d3e5e518c98d17dc5ac8ec5e62545eea5f98c
Instruction Fuzzy Hash: D5C15C75A0020AEFDB15CFA4C894EAEB7B5FF48714F218598E509EB251D731EE81CB90

Function 00143E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00143F0B
__alldvrm.LIBCMT ref: 0014410C
__alldvrm.LIBCMT ref: 0014412E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b8c9e0d45959b29e3651b49317ef6f78b43ecae1890e5c243000b8cb9cf8dcb5
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: BDA17972E003869FEB26CF18C8917AEBBF4EF61350F18416DE5959B2A1C3349D85C751

Function 0019342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00193459
CoUninitialize.OLE32 ref: 00193463
VariantInit.OLEAUT32(?), ref: 0019346E
VariantClear.OLEAUT32(?), ref: 0019371B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fe9bd386638c70ae0acbc6ad7a2a3c6e11db57b73884b3b96ef06eff4d9fb0ef
Instruction ID: ae44ffd58b25a14848a138a75b61ebcb88c45d0d6b0a8075d44b104b761b6000
Opcode Fuzzy Hash: fe9bd386638c70ae0acbc6ad7a2a3c6e11db57b73884b3b96ef06eff4d9fb0ef
Instruction Fuzzy Hash: 39A158756043009FCB14DF28C485A6AB7E5FF8C714F058859F99A9B3A2DB30EE41CB92

Function 00170436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001AFC08,?), ref: 001705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001AFC08,?), ref: 00170608
CLSIDFromProgID.OLE32(?,?,00000000,001ACC40,000000FF,?,00000000,00000800,00000000,?,001AFC08,?), ref: 0017062D
_memcmp.LIBVCRUNTIME ref: 0017064E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 20270b44b0636123e3f9163af66a6df3a8ee9a16e5daab39eed5a714bb0edebb
Instruction ID: 586ae7d095b9d5af4d0e8aba5a1f70fec21f5bfed78bf9e91a7ea1f3aa801bd6
Opcode Fuzzy Hash: 20270b44b0636123e3f9163af66a6df3a8ee9a16e5daab39eed5a714bb0edebb
Instruction Fuzzy Hash: 06812971A00209EFCB05DF94C984EEEB7B9FF89315F208558F516AB250DB71AE46CB60

Function 0019A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0019A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0019A6BA

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Process32NextW.KERNEL32(00000000,?), ref: 0019A79C
CloseHandle.KERNEL32(00000000), ref: 0019A7AB

Part of subcall function 0012CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00153303,?), ref: 0012CE8A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 403df596e2e53a19d31533a35cbb20c74259570ad3b94820077b6bbeb19ac101
Instruction ID: 12560a5e519087c0b000a64637dc95d88103e6b7d5f36d71a1fc72c3a9881baf
Opcode Fuzzy Hash: 403df596e2e53a19d31533a35cbb20c74259570ad3b94820077b6bbeb19ac101
Instruction Fuzzy Hash: 1E519E71508300AFC714EF24D886AABBBF8FF99704F40892DF58997251EB30D944CB92

Function 00151391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001514C0

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 71a0c16e83448c396905530c76c016838cff26f28596358ec73be0ab4fb97b5d
Instruction ID: 9a5cc21e45b945bd9e2d56e458e266b9817f31f428ab61e744638ff35c252c0a
Opcode Fuzzy Hash: 71a0c16e83448c396905530c76c016838cff26f28596358ec73be0ab4fb97b5d
Instruction Fuzzy Hash: 67413B31A00100FBDB276BF9DC46BBF3AA5EF62371F140265FC39DA192E77488455261

Function 001A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001A62E2
ScreenToClient.USER32(?,?), ref: 001A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001A6382

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 64c243b9c3c64cd2a995264a1e28873f05c390dc9840888c22448b40e96b6f9b
Instruction ID: fe7419ebdfc410c568a106f4dd80d1cafc7a41a3efcc849f3abd8583b79099e0
Opcode Fuzzy Hash: 64c243b9c3c64cd2a995264a1e28873f05c390dc9840888c22448b40e96b6f9b
Instruction Fuzzy Hash: 77514E78A00249EFCF14DF68D880AAE7BB5FF56364F148169F9599B290D730ED81CB90

Function 00191AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00191AFD
WSAGetLastError.WSOCK32 ref: 00191B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00191B8A
WSAGetLastError.WSOCK32 ref: 00191B94

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e7b5933296ba5d68d71240098135562e06582281a7696758bd57a5c1a3143b67
Instruction ID: f5661fc79ba625c0b80d153cd4fabf92cdcf42d7376a0ebb348f89586e29f809
Opcode Fuzzy Hash: e7b5933296ba5d68d71240098135562e06582281a7696758bd57a5c1a3143b67
Instruction Fuzzy Hash: E541F2346002016FEB24AF24D88AF6577E2AB54708F54C45CF91A8F3D3D772ED828B90

Function 0014B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9a8f2ee16711228b0a81dfdfbb51338a7258489e9186f6f8b310cb2bf9ad82
Instruction ID: 0aad9cdc50e4a08587a2572a7544e1e034f1e0a0085d93d51a67c3abb3af01cd
Opcode Fuzzy Hash: 0c9a8f2ee16711228b0a81dfdfbb51338a7258489e9186f6f8b310cb2bf9ad82
Instruction Fuzzy Hash: 88411972A04304BFD7259F38CC85BAABBE9EF98720F10452EF556DB6A1D771D9018780

Function 001856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00185783
GetLastError.KERNEL32(?,00000000), ref: 001857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001857FA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c1fc8883805c7483dd28926574870e09da9b0b870a0859fb0b106ceacd67a219
Instruction ID: 19da60c5243a30792974344b641217fbedf8d2f045a53e12b562554ba9feae7a
Opcode Fuzzy Hash: c1fc8883805c7483dd28926574870e09da9b0b870a0859fb0b106ceacd67a219
Instruction Fuzzy Hash: 52411C39600A10DFCB15EF15C444A5DBBF2EF99320B198499E84A5B362CB30FD41CF91

Function 0014D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00136D71,00000000,00000000,001382D9,?,001382D9,?,00000001,00136D71,8BE85006,00000001,001382D9,001382D9), ref: 0014D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0014D9AB
__freea.LIBCMT ref: 0014D9B4

Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bb383f41671998ec27d223941d76716614345c85aec8edb9b3e29b4adec0897d
Instruction ID: 99283ee26f52fe21ea6f58a07b09612fa0bc2ce03926dd812cf14cbb3c57ecc1
Opcode Fuzzy Hash: bb383f41671998ec27d223941d76716614345c85aec8edb9b3e29b4adec0897d
Instruction Fuzzy Hash: 5831BE72A0020AABDF259F64EC45EAF7BA5EB41714F054268FC04D7260EB35DD90CB90

Function 001A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001A5352
GetWindowLongW.USER32(?,000000F0), ref: 001A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001A53A8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 04cdcf61c1c5521c9354b7c2ac24b60e85b04248261b3cd007ecdc969e2b6371
Instruction ID: 8f569d0cffebb4e56c56020d52c031885d958f844bdc90fceede6f434586e56b
Opcode Fuzzy Hash: 04cdcf61c1c5521c9354b7c2ac24b60e85b04248261b3cd007ecdc969e2b6371
Instruction Fuzzy Hash: AF31C238A5DA08FFEF349A54CC55BE837A7BF963D0F584101FA11962E1C7B09980DB82

Function 0017AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0017ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0017AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0017AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0017ACC6

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ba80185c5710644aac64af41ba000a95dbd5e111b9afb93c07d15b3414ec1ced
Instruction ID: d098af60d0d092c3c72bcc141ba317d0ea8777ade01ef55d7d715d780fe5a137
Opcode Fuzzy Hash: ba80185c5710644aac64af41ba000a95dbd5e111b9afb93c07d15b3414ec1ced
Instruction Fuzzy Hash: 3C31E630A446187FEF36CB658C05BFE7BB5AFC9320F84C21AE489962D1C37599858792

Function 001A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001A769A
GetWindowRect.USER32(?,?), ref: 001A7710
PtInRect.USER32(?,?,001A8B89), ref: 001A7720
MessageBeep.USER32(00000000), ref: 001A778C

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e17a8c787f94240633407fb98f7d68ddd69229150520de1a8f06a9ffed01fc9f
Instruction ID: ceafda6ce3ccb881c97ea4bec01e562911ef4f635e4ac7f9b385b377751f2418
Opcode Fuzzy Hash: e17a8c787f94240633407fb98f7d68ddd69229150520de1a8f06a9ffed01fc9f
Instruction Fuzzy Hash: F9416F38A05254EFCB12CFA8CD98EAD77F5FB4A314F1541A8E4149F2A1D730AA81CF90

Function 001A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001A16EB

Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65

GetCaretPos.USER32(?), ref: 001A16FF
ClientToScreen.USER32(00000000,?), ref: 001A174C
GetForegroundWindow.USER32 ref: 001A1752

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 562fcd139ad94752aaf4d3af325d59a4ddd784eba5cb5db4b9c67f40c716c03e
Instruction ID: a5477bbf4243e93102ba8c6ad210e40d3c026b623d28c65c062840df8ce86110
Opcode Fuzzy Hash: 562fcd139ad94752aaf4d3af325d59a4ddd784eba5cb5db4b9c67f40c716c03e
Instruction Fuzzy Hash: B0312F75D00249AFC704EFA9C881CEEBBF9EF59304B5480A9E415E7252D731DE45CBA0

Function 0017DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625

_wcslen.LIBCMT ref: 0017DFCB
_wcslen.LIBCMT ref: 0017DFE2
_wcslen.LIBCMT ref: 0017E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0017E018

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 0e66a2b98438f459cd3d14c80631295469f42282ef009e5c49ab1d6b77400665
Instruction ID: 7bae6a38c6724c24c9786ffdac2c1dd2f28c7bfd664617613e0017363a3ba85b
Opcode Fuzzy Hash: 0e66a2b98438f459cd3d14c80631295469f42282ef009e5c49ab1d6b77400665
Instruction Fuzzy Hash: 2521A671900214AFCB109FA8D982BAE77F8EF59760F144065F809BB241D7709D41CBA1

Function 001A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

GetCursorPos.USER32(?), ref: 001A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00167711,?,?,?,?,?), ref: 001A9016
GetCursorPos.USER32(?), ref: 001A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00167711,?,?,?), ref: 001A9094

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b4c0dee4b824aa67a665904fff5b3c5d043128500ae861319ad61f917ba899ad
Instruction ID: 15f5666b6587bf481a3fe291b0c6e50ca4400f124aa36dcb848958320a732e82
Opcode Fuzzy Hash: b4c0dee4b824aa67a665904fff5b3c5d043128500ae861319ad61f917ba899ad
Instruction Fuzzy Hash: D1219F39600118FFCB268F94D998EFE7BB9EB4A790F144155F9058B261C33199D0DBA0

Function 0017D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001ACB68), ref: 0017D2FB
GetLastError.KERNEL32 ref: 0017D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0017D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ACB68), ref: 0017D376

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c1c0e1e1ede1cd68bed650bd50a8067d8d6397bfb10ed2470d62ac7acfc0a973
Instruction ID: dcf2cf2dc06d7eba80b1e43caccc9299a7d49030e3890d9c83f72eb08eefb7ef
Opcode Fuzzy Hash: c1c0e1e1ede1cd68bed650bd50a8067d8d6397bfb10ed2470d62ac7acfc0a973
Instruction Fuzzy Hash: 142183B05092059FC714DF24D8818AA77F4FF56764F108A1DF4A9C72A1DB31D946CB93

Function 00171571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00171014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0017102A
Part of subcall function 00171014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00171036
Part of subcall function 00171014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171045
Part of subcall function 00171014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0017104C
Part of subcall function 00171014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001715BE
_memcmp.LIBVCRUNTIME ref: 001715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00171617
HeapFree.KERNEL32(00000000), ref: 0017161E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4ccfd41c2243093069922077f6ab6280a6232cbea6ea0bbdaec1627da8e53d38
Instruction ID: e03bceaee4c09da60ea1b7e76b973698c6ccfcedfd125afaa33957e801f82d4e
Opcode Fuzzy Hash: 4ccfd41c2243093069922077f6ab6280a6232cbea6ea0bbdaec1627da8e53d38
Instruction Fuzzy Hash: FD219A31E00108FFDF14DFA8C945BEEB7B8EF45354F188459E449AB241E770AA45DBA0

Function 001A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001A2840

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2de7815a8dc129788c8daab2ff0b2a6d09ef788818619d79ce619f78687630db
Instruction ID: 3881708a40ac4180bdfc5e98c29b1e3ae741bcc4fac2de7117429fbb64d0f39a
Opcode Fuzzy Hash: 2de7815a8dc129788c8daab2ff0b2a6d09ef788818619d79ce619f78687630db
Instruction Fuzzy Hash: A821D339708511AFD718DB28C844FAA7B95AF57324F148158F4268B6E2CB75FD82CBD0

Function 001778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00178D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0017790A,?,000000FF,?,00178754,00000000,?,0000001C,?,?), ref: 00178D8C
Part of subcall function 00178D7D: lstrcpyW.KERNEL32(00000000,?,?,0017790A,?,000000FF,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00178DB2
Part of subcall function 00178D7D: lstrcmpiW.KERNEL32(00000000,?,0017790A,?,000000FF,?,00178754,00000000,?,0000001C,?,?), ref: 00178DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00177923
lstrcpyW.KERNEL32(00000000,?,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00177949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00177984

Strings

cdecl, xrefs: 0017797B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4d811068993f22b0d91926d0011e57074ce8afa20f13a1e7646b994e008bef53
Instruction ID: 8280d7784366e95ef154bec2d2229f7a4dc211813a859fc72527a51f99130c0a
Opcode Fuzzy Hash: 4d811068993f22b0d91926d0011e57074ce8afa20f13a1e7646b994e008bef53
Instruction Fuzzy Hash: 4F11063A201242ABCB156F34D844D7A77B5FF95364F00802AF90AC72A4EB319911C791

Function 001A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0018B7AD,00000000), ref: 001A7D6B

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fd5cc40c2c01909ac01ce493e1b2801a29ba2a6dd16a3eca0896aa71135ed31a
Instruction ID: 3afc889f685f589711f84befc36caa4bd3668f022f1d17a7f4fdf46516090f41
Opcode Fuzzy Hash: fd5cc40c2c01909ac01ce493e1b2801a29ba2a6dd16a3eca0896aa71135ed31a
Instruction Fuzzy Hash: AC11A235604665AFCB109FA8CC04EAA3BA5AF46370B154728F839DB2F0D7309A50CB90

Function 001A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001A56BB
_wcslen.LIBCMT ref: 001A56CD
_wcslen.LIBCMT ref: 001A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001A5816

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 294bbde9f3bd9a0bb80208dbf44897097a9b030b87cc2a8c6c9eadec11e7ea56
Instruction ID: c60c9f0f5447d182cbcd3451b3f1f34357fde5a2da5f601d351f8bc239c86dc2
Opcode Fuzzy Hash: 294bbde9f3bd9a0bb80208dbf44897097a9b030b87cc2a8c6c9eadec11e7ea56
Instruction Fuzzy Hash: F111D679A08604A6DB20DF61CC85AEE777CFF16764F104026F919D6081EB70DA84CBA0

Function 00141D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafc441c48bf5276c6ea6eb743902b6077294257fcad28d477943bca58c68646
Instruction ID: 1fb3d3d4fd138d4d8b414c98f9cc5f840410dee5bdde17bd9c95982ef2e5ef8f
Opcode Fuzzy Hash: aafc441c48bf5276c6ea6eb743902b6077294257fcad28d477943bca58c68646
Instruction Fuzzy Hash: FB018BF2A096567EFA212AF86CC4F67665DEF523B8F350325F531A11E2DB708C804160

Function 00171A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00171A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A8A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9899a537a88818f4d4b7c18fe7a5c7ef304bec56ad738e8e34d413806425303c
Instruction ID: 402e3718f6101e44149e98b83665a9de077d2d7c4364fbe60028596a8ec26151
Opcode Fuzzy Hash: 9899a537a88818f4d4b7c18fe7a5c7ef304bec56ad738e8e34d413806425303c
Instruction Fuzzy Hash: 0411393AD01219FFEB10DBA8CD85FADBB79EB08750F204091EA04B7290D7716E50DB94

Function 0017E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0017E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0017E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0017E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0017E24D

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 534408f6ead0063f5e8ca86064f9e9277ed8c09d1af500d3baa93e45d60e5340
Instruction ID: a6074ec365f34c70a0aacf2ab61e99403dd825153351d5859f9b2fa9e96e02f7
Opcode Fuzzy Hash: 534408f6ead0063f5e8ca86064f9e9277ed8c09d1af500d3baa93e45d60e5340
Instruction Fuzzy Hash: C6112B76A04254BBC7019FE8AC45A9F7FFDAB45320F148255F819D7691D770CD4087A0

Function 0013D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0013CFF9,00000000,00000004,00000000), ref: 0013D218
GetLastError.KERNEL32 ref: 0013D224
__dosmaperr.LIBCMT ref: 0013D22B
ResumeThread.KERNEL32(00000000), ref: 0013D249

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ad1b3673ed51f50614f62d5c7939103c22e71f58c4ee5f3c7374a66c0bdd06fc
Instruction ID: 7e1f8a602345248c81447e91dcc7f2b187235de8bb0165a6ed9b19f96eef4c25
Opcode Fuzzy Hash: ad1b3673ed51f50614f62d5c7939103c22e71f58c4ee5f3c7374a66c0bdd06fc
Instruction Fuzzy Hash: AC01B536805204BBDB215BA5FC09BAF7A6DEF92731F104219F925961D0DF71C945C7E0

Function 001A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2

GetClientRect.USER32(?,?), ref: 001A9F31
GetCursorPos.USER32(?), ref: 001A9F3B
ScreenToClient.USER32(?,?), ref: 001A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001A9F7A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 792b6f4d595228733f926bc4612204931a2660d0ee93f83d0fbc6f354dc350bd
Instruction ID: 3c908dea8512aa302e9b0bd1adc330d4980f979411cadfe243bad2006ff6b035
Opcode Fuzzy Hash: 792b6f4d595228733f926bc4612204931a2660d0ee93f83d0fbc6f354dc350bd
Instruction Fuzzy Hash: D511253AA0015AAFDB14DFA8D8859EE7BB9EB06311F000455F901E7141D330AAC1CBA1

Function 0011600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
GetStockObject.GDI32(00000011), ref: 00116060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 8b570fdf337d094e40930fcf3bf18193f970394df34e2ed2a161592e241c4e12
Instruction ID: f8a0de403b1b915c5e4b2764abfd2e68d2b0cdc417f4ce1ff54532d1b3d12b67
Opcode Fuzzy Hash: 8b570fdf337d094e40930fcf3bf18193f970394df34e2ed2a161592e241c4e12
Instruction Fuzzy Hash: 93116D72501548BFEF168FA49C44EEABBA9EF1D3A4F050225FA1456110D7369CE0DBA0

Function 00133B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00133B56

Part of subcall function 00133AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00133AD2
Part of subcall function 00133AA3: ___AdjustPointer.LIBCMT ref: 00133AED

_UnwindNestedFrames.LIBCMT ref: 00133B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00133B7C
CallCatchBlock.LIBVCRUNTIME ref: 00133BA4

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 91ae3b79288af26b182d00447ed5b0d12740e1cf56770c10d1b2144ba44dc5f4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BE010C32100149BBDF125E95CC46EEB7F6DEF58764F044014FE58A6121C736E961EBA4

Function 00143073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001113C6,00000000,00000000,?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue), ref: 001430A5
GetLastError.KERNEL32(?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue,001B2290,FlsSetValue,00000000,00000364,?,00142E46), ref: 001430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue,001B2290,FlsSetValue,00000000), ref: 001430BF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1bfea83f3cf52561bddc6a4c4201b424470e1150b3a912bc3deeb83052604e46
Instruction ID: 0030475b80ddb4d34d5f2b97ee03e2d8f646483786823ea783c1d7fb19ea636b
Opcode Fuzzy Hash: 1bfea83f3cf52561bddc6a4c4201b424470e1150b3a912bc3deeb83052604e46
Instruction Fuzzy Hash: 0201FE32701322EBCB314B799C45A577BD8EF46B71B210720F925E7660D721DD41C6E0

Function 00177464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0017747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00177497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001774CA

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a049ac539d760e64883085b918c533a43b0ffa4b021a3d54b5c3f1c14ee0ccc0
Instruction ID: 214ac871a751038080666c12cd4b0de041e3206be02f654178e228a0b71b5cb5
Opcode Fuzzy Hash: a049ac539d760e64883085b918c533a43b0ffa4b021a3d54b5c3f1c14ee0ccc0
Instruction Fuzzy Hash: F51180B5209315AFE7208F24DC09FA27FFCEB04B04F10C969A65BD6591D7B0E944DBA0

Function 0017B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B126

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 043a3fed7b7268f08cf454c35b6e2d6a2ec32944a488ec373098ba58a2a8d3a1
Instruction ID: 56ccbc17683670979464419ff86fec1ec0a40715cc5425b77d4cf4c4cbb7f77a
Opcode Fuzzy Hash: 043a3fed7b7268f08cf454c35b6e2d6a2ec32944a488ec373098ba58a2a8d3a1
Instruction Fuzzy Hash: DB116171E0952DD7CF04AFE4E9A87EEBB78FF0A711F518085E945B2141CB305591CB91

Function 001A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001A7E33
ScreenToClient.USER32(?,?), ref: 001A7E4B
ScreenToClient.USER32(?,?), ref: 001A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001A7E8A

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ef6286c9483443719ac63e49c2fe32e9ecf6ef1393c9f327a2ed1f48e3f8e209
Instruction ID: 40240bcdefed34e73d8092870491f58670991457dec4e929656d02f11a7c9006
Opcode Fuzzy Hash: ef6286c9483443719ac63e49c2fe32e9ecf6ef1393c9f327a2ed1f48e3f8e209
Instruction Fuzzy Hash: 281156B9D0024AAFDB41CFA8C8849EEBBF5FF19310F505056E915E3610D735AA94CF90

Function 00172DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00172DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00172DD6
GetCurrentThreadId.KERNEL32 ref: 00172DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00172DE4

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c2f51a7cd597015b4f9aaef0403e2161946fa8a62dfaa5a9eb6fa87365df8f51
Instruction ID: 7b1209ab99bf8788fbba94a0ab17c766ff384accc80fa001cf69d1cedb9513ee
Opcode Fuzzy Hash: c2f51a7cd597015b4f9aaef0403e2161946fa8a62dfaa5a9eb6fa87365df8f51
Instruction Fuzzy Hash: 9AE0ED71601224BAD7245BA2DC0DEEB7E6CEB57BA1F404115F509D15909AA58981C6F0

Function 001A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00129639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296A2
Part of subcall function 00129639: BeginPath.GDI32(?), ref: 001296B9
Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001A8887
LineTo.GDI32(?,?,?), ref: 001A8894
EndPath.GDI32(?), ref: 001A88A4
StrokePath.GDI32(?), ref: 001A88B2

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 13c2f351e09bda25f24a4091c9ae260672b59963f870d3c02e2b516e27b733e0
Instruction ID: ee17e6e5c7fd362f8d2c9cd1984de1056b826feb59588f4fae0c4b79818e55ca
Opcode Fuzzy Hash: 13c2f351e09bda25f24a4091c9ae260672b59963f870d3c02e2b516e27b733e0
Instruction Fuzzy Hash: E4F05E3A045258FADB125F94AD0DFCE3F59AF07310F448000FA11654E2CB7955A1CFE9

Function 001298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001298CC
SetTextColor.GDI32(?,?), ref: 001298D6
SetBkMode.GDI32(?,00000001), ref: 001298E9
GetStockObject.GDI32(00000005), ref: 001298F1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f8819871123ad8b13d53adcf5b74001ad26443795f1b9a892ce9fc98c2298536
Instruction ID: 6c2e29f4eb5120b7b6c4555815e836e7a6f12548d129827388167df1066ca1c8
Opcode Fuzzy Hash: f8819871123ad8b13d53adcf5b74001ad26443795f1b9a892ce9fc98c2298536
Instruction Fuzzy Hash: 12E06D31344280EADB215B78BC0DBE83F61EB5333AF048219F6FA584E1C77246909B10

Function 0017162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00171634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001711D9), ref: 0017163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001711D9), ref: 00171648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001711D9), ref: 0017164F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ff39f708ebe65a9c93f1b0f0a640fd1a6783a775ae85d8c6d812caa67de397a
Instruction ID: 475c346de15ffebbd9e3dfb024f876253d9d40987fcef70f75cb1fec2b580998
Opcode Fuzzy Hash: 4ff39f708ebe65a9c93f1b0f0a640fd1a6783a775ae85d8c6d812caa67de397a
Instruction Fuzzy Hash: A4E08635601211EBD7201FB49E0DB473B7CAF56791F148808F245C9080D7744580C790

Function 0016D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0016D858
GetDC.USER32(00000000), ref: 0016D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0016D882
ReleaseDC.USER32(?), ref: 0016D8A3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ddafb724391b1749419dc3c803ef6aa8a80b7b9c7854be349fc779521fedafa0
Instruction ID: 62aaef06de82f3b5fcec9a3cc0f2b85adf2fe8aa4ec7c3cac5afc5f6feaf8c6d
Opcode Fuzzy Hash: ddafb724391b1749419dc3c803ef6aa8a80b7b9c7854be349fc779521fedafa0
Instruction Fuzzy Hash: 68E01AB4800205DFCB459FB0E90C66DBBB5FB09310F118019F80AE7750CB388991AF80

Function 0016D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0016D86C
GetDC.USER32(00000000), ref: 0016D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0016D882
ReleaseDC.USER32(?), ref: 0016D8A3

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7110f4ac2b596c6a22ef8d97317a1afe528fb8a8a76a7cf951db2dd0c62126ff
Instruction ID: a40d41c941a1733fb426669f8209a441d6baccc732f411517f131ead27bc42ea
Opcode Fuzzy Hash: 7110f4ac2b596c6a22ef8d97317a1afe528fb8a8a76a7cf951db2dd0c62126ff
Instruction Fuzzy Hash: D0E01A74800204DFCB419FB0D80866DBBB1BB08310B108008F80AE7750CB3899819F80

Function 00184D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00184ED4

Strings

LPT, xrefs: 00184DFB
*, xrefs: 00184E10

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e594b92cd661f9a222728cb9e8a33a9614d8e6594c35713836b5fc0031aefe41
Instruction ID: f016797c7d74213da8378e2b502662828f4c3dcbe3f06632964baad3c0cf6902
Opcode Fuzzy Hash: e594b92cd661f9a222728cb9e8a33a9614d8e6594c35713836b5fc0031aefe41
Instruction Fuzzy Hash: E3914E75A002059FCB14EF58C484EAABBF1AF45304F15809DE54A9F3A2DB35EE85CF91

Function 0013E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0013E30D

Strings

pow, xrefs: 0013E2E5, 0013E302

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c962effa451501a6dfec35087ec7eafe6a56b13fa37a61af07d756ef5cf32418
Instruction ID: 4a7fbc90af6019f05c8ef42a0bd3bf804ad0179f631b25339ec1dacc8236ce98
Opcode Fuzzy Hash: c962effa451501a6dfec35087ec7eafe6a56b13fa37a61af07d756ef5cf32418
Instruction Fuzzy Hash: 7A515961E1C30296CB157724CD513BA3BE4EF50740F748EA8E0D6923F9EB358CD69A86

Function 0012E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0012E1B1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3d8cd1d87c09816ee3b7d743f9150df72562611588e7ba5c25fa18a4aaf30aa2
Instruction ID: c0894f0475ce737f855c2d36bd601edadffdd342c0167f30a91a470c4e26594d
Opcode Fuzzy Hash: 3d8cd1d87c09816ee3b7d743f9150df72562611588e7ba5c25fa18a4aaf30aa2
Instruction Fuzzy Hash: 90513339504256DFDF18DF68D881AFA7BE8EF26310F244115F8929B2C0D7349DA2CBA0

Function 0012F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0012F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0012F2BB

Strings

@, xrefs: 0012F2AF

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 49b083894e039ee4c1a822e2628b48da0221220c7b3a3d87bc5e6897818efa23
Instruction ID: 7a430a06cbfaf95a9e9449f1e3465367583cbf11b503473b16c947fd31df6e35
Opcode Fuzzy Hash: 49b083894e039ee4c1a822e2628b48da0221220c7b3a3d87bc5e6897818efa23
Instruction Fuzzy Hash: D0514771408745ABD320AF14DC86BAFBBF8FF95300F81886DF1D941195EB3185A9CB66

Function 00195745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001957E0
_wcslen.LIBCMT ref: 001957EC

Strings

CALLARGARRAY, xrefs: 001957E6, 001957EB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: e24c89c88ce34675389d6af74eaffae0b7dda1e8e26fddf142d527d23a3a9543
Instruction ID: 3f2baef85d2e2137b409ed1366d28166e189ddb56bf9f8717b93c95a6d90faaa
Opcode Fuzzy Hash: e24c89c88ce34675389d6af74eaffae0b7dda1e8e26fddf142d527d23a3a9543
Instruction Fuzzy Hash: 01418E71A002099FCF15DFA9D8859EEBBF6FF69324F108069E505B7291E7309D81CB90

Function 0018D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0018D13A

Strings

|, xrefs: 0018D10B

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7a213a75694daf718b9035d2f9b34f2369918947a0e4b6b91b69904ab1b8997c
Instruction ID: b564197b585e8c6427def5ccd2d3dd5cd37bab7ae98cceb81f14b97ddd5d7558
Opcode Fuzzy Hash: 7a213a75694daf718b9035d2f9b34f2369918947a0e4b6b91b69904ab1b8997c
Instruction Fuzzy Hash: 1F313D71D01209ABCF15EFA4DC85AEE7FB9FF18310F000169F815A6165EB31AA56CF50

Function 001A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001A365C

Strings

static, xrefs: 001A35BC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d82bfa9aac38da8bebd51b07d6cef420b89dd197e73964b2316a83c9b93fe30f
Instruction ID: 70390b1209a1119224a58b77a9e73e49c109b0cda5935ea5d1abcf389dc80ba8
Opcode Fuzzy Hash: d82bfa9aac38da8bebd51b07d6cef420b89dd197e73964b2316a83c9b93fe30f
Instruction Fuzzy Hash: 90318B75500204AEDB149F68DC80FFB73A9FF99760F008619F8A997280DB31ED91DBA0

Function 001A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A4634

Strings

', xrefs: 001A458E

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4bdb222a4ead78e4d1382e7f66641105f834fa2b8b295df1fac67fd7681edb04
Instruction ID: bbde123afdd711ae0205bbfb515e3a3cc6e1743f1be6ad113838eb469440c09a
Opcode Fuzzy Hash: 4bdb222a4ead78e4d1382e7f66641105f834fa2b8b295df1fac67fd7681edb04
Instruction Fuzzy Hash: 1231F978E013099FDB14CFA9C991BDA7BB5FF8A304F154069E905AB351D7B0A941CF90

Function 001A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A3287

Strings

Combobox, xrefs: 001A3249

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3e71b7bf9f3debafef39bd787c3d883f5a1cbf98f8245ff98c4c5e20be4caa17
Instruction ID: 77906ff4ac00fd332f9cfe78caa21ac57ef5c71d071a9c96d8016f33ad0e8c1c
Opcode Fuzzy Hash: 3e71b7bf9f3debafef39bd787c3d883f5a1cbf98f8245ff98c4c5e20be4caa17
Instruction Fuzzy Hash: 5E11B2753002087FEF259E94DC81FFB3B6AEB9A3A4F104126F928D7290D7319D5197A0

Function 001A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0011600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
Part of subcall function 0011600E: GetStockObject.GDI32(00000011), ref: 00116060
Part of subcall function 0011600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A

GetWindowRect.USER32(00000000,?), ref: 001A377A
GetSysColor.USER32(00000012), ref: 001A3794

Strings

static, xrefs: 001A3757

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: feea7e7c352defbc84a705fb7aec39c2221c9ef86db2d660f62dc22073657385
Instruction ID: 61c4390836b1df46d337fb4b0096517b6f8e9f8c28785e3bf28fe09e2861da19
Opcode Fuzzy Hash: feea7e7c352defbc84a705fb7aec39c2221c9ef86db2d660f62dc22073657385
Instruction Fuzzy Hash: 81113AB6610209AFDF01DFA8CC45EFA7BF8FB09354F004524F966E2250E735E8519BA0

Function 0018CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0018CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0018CDA6

Strings

<local>, xrefs: 0018CD66

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8537bfac21956f0809ea156be7821eaaf5591a809ce0d0a2aaa0c5eee2e95f14
Instruction ID: f296bbec70a074a209dac9f1615e9585daa8c1648db80d9d9fc828d21edfb46b
Opcode Fuzzy Hash: 8537bfac21956f0809ea156be7821eaaf5591a809ce0d0a2aaa0c5eee2e95f14
Instruction Fuzzy Hash: AF118271205635BAD7387BA68C49EE7BEADEF127A4F00432AB50993180D7749A41DBF0

Function 001A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001A34BA

Strings

edit, xrefs: 001A348F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6ece7c08f48855b9bfe9013180d4fe0d01295f02364d15340010d5d8a3cad8f9
Instruction ID: a6a5aeeb75bd5786b384d6f893b9fa7c03227797f6bb5b45b0393d35202388d7
Opcode Fuzzy Hash: 6ece7c08f48855b9bfe9013180d4fe0d01295f02364d15340010d5d8a3cad8f9
Instruction Fuzzy Hash: 32118C79500208AFEB128E64DC84BEB3B6AEB1A378F504324F975971E0C771DC919BA0

Function 00176C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

CharUpperBuffW.USER32(?,?,?), ref: 00176CB6
_wcslen.LIBCMT ref: 00176CC2

Strings

STOP, xrefs: 00176CBC, 00176CC1

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 01145d6b4e5662a1809e4aa72e2c8e3be5bb8d9f5a23eb7314b262b9f8aa3edf
Instruction ID: 093ac48a4cf663c83998c5ce0de9ed025e3fc925ae8ef91aea868dcdf8feee27
Opcode Fuzzy Hash: 01145d6b4e5662a1809e4aa72e2c8e3be5bb8d9f5a23eb7314b262b9f8aa3edf
Instruction Fuzzy Hash: A80104326109268BCB219FFDDC809BF37B5EB65750B114534E8A696190EB31D940C650

Function 00171CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00171D4C

Strings

ListBox, xrefs: 00171D16
ComboBox, xrefs: 00171CEB

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 11a33af43c31f401c2ff8620b23321b5f50925fc9fe2bd3e3d1cd3c87c5b9b0f
Instruction ID: 53cf723232dc2faf7d09aaa88dbfefff0c0a858df2b6aed7b4dc6fd57c187cb1
Opcode Fuzzy Hash: 11a33af43c31f401c2ff8620b23321b5f50925fc9fe2bd3e3d1cd3c87c5b9b0f
Instruction Fuzzy Hash: 3E01D871601218BBCB18EBE8CC55DFE7379EB56390B04491AF876573C1EB3059489AA0

Function 00171BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00171C46

Strings

ListBox, xrefs: 00171C10
ComboBox, xrefs: 00171BE5

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3a11fee8900f16cc47ba540b4fc3a735a57f10c637c8f75ca12dec5e75aab884
Instruction ID: 87fa7eabd0ac1b94365fab95b975137d69baaa820d388654b37e18b7a4e420e7
Opcode Fuzzy Hash: 3a11fee8900f16cc47ba540b4fc3a735a57f10c637c8f75ca12dec5e75aab884
Instruction Fuzzy Hash: 9A01AC7564110876CB09E7D4C952AFF77B99B21340F244026A95A672C1EB209F4896B1

Function 00171C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00171CC8

Strings

ListBox, xrefs: 00171C94
ComboBox, xrefs: 00171C69

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 37cb45e7d7cc62fe11444a77b141aee00e889e2d9a6987b4caada91eebaae02c
Instruction ID: 6ae17907cbce7465499e976a6492fe4b904843c21c03848c68a56f5b2f37327e
Opcode Fuzzy Hash: 37cb45e7d7cc62fe11444a77b141aee00e889e2d9a6987b4caada91eebaae02c
Instruction Fuzzy Hash: 5D01DB7164011877CB09EBD4CA12AFE73B99B21380F544026B85A77281EB209F48D6B1

Function 00171D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD

Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00171DD3

Strings

ListBox, xrefs: 00171DA0
ComboBox, xrefs: 00171D75

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eeee9ea006af704145467ec3b5087813f5a4144b48a159444bd7198b3014ff4a
Instruction ID: 73ca8edff32ae57a2494bcc7f5ebe0acd809b6bbb94cdb26a5ded8613aed3398
Opcode Fuzzy Hash: eeee9ea006af704145467ec3b5087813f5a4144b48a159444bd7198b3014ff4a
Instruction Fuzzy Hash: E6F0C871B4121876DB1CF7E8CC66FFF7778AB12390F440926B876672C1DB605A4896A0

Function 0019747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00197493
_wcslen.LIBCMT ref: 001974B9

Strings

3, 3, 16, 1, xrefs: 00197483

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: cb90a8daab77d1a67353d9ff6b8c679121804797aee2e5f9d5ef5aff97d7dba3
Instruction ID: 45d47f049782603785604f5605f634168f7c6a48c8cda72f43919e3daf7544d5
Opcode Fuzzy Hash: cb90a8daab77d1a67353d9ff6b8c679121804797aee2e5f9d5ef5aff97d7dba3
Instruction Fuzzy Hash: CDE02B1262422021D7311279ACC1B7F5789DFDD770B14182BF985C32E7EB949D9193A0

Function 00170B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00170B23

Strings

Error allocating memory., xrefs: 00170B1C
AutoIt, xrefs: 00170B17

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 80d14fa14cefa8d4833e6f5f667d464970c951f763b0a5df32e12f96043c4ae8
Instruction ID: 3d055ce2e9bacbb4ee08160fb7b2b092254a186ed544fa3859ba3603429ca613
Opcode Fuzzy Hash: 80d14fa14cefa8d4833e6f5f667d464970c951f763b0a5df32e12f96043c4ae8
Instruction Fuzzy Hash: 80E0203524432877D21537947C03FC97B948F16F24F10043BF748555C38FE265A046E9

Function 00130D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0012F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00130D71,?,?,?,0011100A), ref: 0012F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0011100A), ref: 00130D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0011100A), ref: 00130D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00130D7F

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 71d3339f570b399d593c64636b0279d98c4871ee5a71da0efdb26edf24cde0f9
Instruction ID: a95cd0326c70873ba4b95072c12094c9cd846200fb2e45eb3956427efd5bd362
Opcode Fuzzy Hash: 71d3339f570b399d593c64636b0279d98c4871ee5a71da0efdb26edf24cde0f9
Instruction Fuzzy Hash: 7FE06D782003518BD3219FF8E518386BBE0AB19740F00492DE486C6A51DBB0E4858B91

Function 00183017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0018302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00183044

Strings

aut, xrefs: 00183038

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6d834d2f2708f6729afddaa8d82da4fee68cbe5efe92e0a1d6c39e8ef9c18c82
Instruction ID: 8abd9338460636058e1c1d456d39a6028c0da7dc17de48d3d6044e3c0e267093
Opcode Fuzzy Hash: 6d834d2f2708f6729afddaa8d82da4fee68cbe5efe92e0a1d6c39e8ef9c18c82
Instruction Fuzzy Hash: D0D05E7250032867DA20A7A4AD0EFCB7B7CDB05750F0002A3B696E2092DBB49984CAD0

Function 0016D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0016D220

Strings

%.3d, xrefs: 0016D22B
X64, xrefs: 0016D2A8

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4b6001dee6fc0636631c6eb04c58aa8163249f48a716bda0ce4d1c1aa515baad
Instruction ID: 8d7ff31791cf2aae8a1cf01336adced4443ff996f159adcf087b28af19be2571
Opcode Fuzzy Hash: 4b6001dee6fc0636631c6eb04c58aa8163249f48a716bda0ce4d1c1aa515baad
Instruction Fuzzy Hash: 58D012A1D09118E9CB9497E0FC559BAB37CBB18341F51846BF80691040E724C5686761

Function 001A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001A233F

Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3

Strings

Shell_TrayWnd, xrefs: 001A2325

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bd02f07bf4a9dcfd1bfdc48d57eed5015b8fd11bfc2a86c0aea0c76674a14470
Instruction ID: 3c19417b5654183074b7a3f304f8f57c2eef925c9479e7c2442b610ba86ab132
Opcode Fuzzy Hash: bd02f07bf4a9dcfd1bfdc48d57eed5015b8fd11bfc2a86c0aea0c76674a14470
Instruction Fuzzy Hash: C2D012767D4310B7E664B770DC0FFC67A549B15B14F0089167759EA2D0CAF0A841CA94

Function 001A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001A236C
PostMessageW.USER32(00000000), ref: 001A2373

Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3

Strings

Shell_TrayWnd, xrefs: 001A2365

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8ab4940d7308649fecc1dadbf7d158055f7256401de552c8cb5126a1a2ca83ca
Instruction ID: 511e1803387d0d8f26ddc83a58a80d4d4b680ae49308afc19f6c8d51fb2ba7e5
Opcode Fuzzy Hash: 8ab4940d7308649fecc1dadbf7d158055f7256401de552c8cb5126a1a2ca83ca
Instruction Fuzzy Hash: 4CD012727C13107BE664B770DC0FFC676549B16B14F0089167759EA2D0CAF0B841CA94

Function 0014BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0014BE93
GetLastError.KERNEL32 ref: 0014BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014BEFC

Memory Dump Source

Source File: 00000001.00000002.1941164398.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000001.00000002.1941133682.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941247713.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941314606.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1941353126.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 37c8b9c236f3f017b9e462db65ab687fed4566c6f867e4ebfdb41d6bbaa7ba0a
Instruction ID: 9a32e3c753c724264ec07c85e748bf7ca5173663cebe087c3eac9d657b5460e5
Opcode Fuzzy Hash: 37c8b9c236f3f017b9e462db65ab687fed4566c6f867e4ebfdb41d6bbaa7ba0a
Instruction Fuzzy Hash: 5941B434609206EFCF258F65CC94ABA7BA5EF42320F154169F95DA71B1DB30CD05DB60

Analysis Process: firefox.exePID: 8056, Parent PID: 8036COMMON

Executed Functions

Function 000000A09377D549 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.2094812579.000000A093777000.00000020.00000800.00020000.00000000.sdmp, Offset: 000000A093777000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_a093777000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d21433558e284bc3e5c10176dda4908f65c581aeb0500ba95f3847a517575f9
Instruction ID: 49db39c09e6df172eaac2e95a974392004c8e9cbb4a6cd86dc5bceff18b6192e
Opcode Fuzzy Hash: 5d21433558e284bc3e5c10176dda4908f65c581aeb0500ba95f3847a517575f9
Instruction Fuzzy Hash: 0702D271618A4D9FDB59DF68C854B98BBB1FF19310F1A009ED00AEB293D770A891CF52

Function 000000A09377F145 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.2094812579.000000A093777000.00000020.00000800.00020000.00000000.sdmp, Offset: 000000A093777000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_a093777000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71e3b326d33eafd7e281f17d78329f5e0077b4dae0ccb59c2e539cf64a1ba07
Instruction ID: 1c2e1db8322a65a610d02fab2a73a50336dea926d5c22254c57320e5a1ab7552
Opcode Fuzzy Hash: f71e3b326d33eafd7e281f17d78329f5e0077b4dae0ccb59c2e539cf64a1ba07
Instruction Fuzzy Hash: C9217970609A899FCB85EF28E8D0B15BBE1FF6A304F0805DDD449CB293D721A858CB52

Analysis Process: firefox.exePID: 7980, Parent PID: 8056COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002B963CA9672 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002B963CA96D7

Strings

z, xrefs: 000002B963CA970B
z, xrefs: 000002B963CAACB6
>, xrefs: 000002B963CA9739
>, xrefs: 000002B963CAD77F
#, xrefs: 000002B963CA7A45
#, xrefs: 000002B963CA9702
>, xrefs: 000002B963CAA4DC
A, xrefs: 000002B963CA96CF
#, xrefs: 000002B963CAA7B1
4, xrefs: 000002B963CAD759

Memory Dump Source

Source File: 00000014.00000002.3077627200.000002B963CA7000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002B963CA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b963ca7000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: c682f3caf7c054f18d0656aa57e013c79506ff318e929fda46629bbb4e33268e
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: BEA3D531618A498BDB2DDF1CDC956A973E9FB94300F14822EED4BC7255EF34E9428B81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000010.00000003.2141310995.0000028036EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2127003968.00000280420EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2007876834.0000028039FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2152405841.0000028039DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2152405841.0000028039DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2159084814.000002803CD66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2159084814.000002803CD66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2133846529.000002803B96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2159084814.000002803CD66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3078232710.000002B963D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2154682025.0000028039261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2127003968.00000280420EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2154270326.000002803939F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2007876834.0000028039FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2140537405.0000028039E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2123726048.0000028041B93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2007876834.0000028039FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2107087045.0000028041B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:54862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:54864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:54877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:54878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:54881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.48:443 -> 192.168.2.4:54883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:54886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:54888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:55073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:55072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:55074 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54857
Source: unknown	Network traffic detected: HTTP traffic on port 55040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54852
Source: unknown	Network traffic detected: HTTP traffic on port 54876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54856
Source: unknown	Network traffic detected: HTTP traffic on port 54857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54854
Source: unknown	Network traffic detected: HTTP traffic on port 54872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55072
Source: unknown	Network traffic detected: HTTP traffic on port 55073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 54862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54906
Source: unknown	Network traffic detected: HTTP traffic on port 55072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54861
Source: unknown	Network traffic detected: HTTP traffic on port 54879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54866
Source: unknown	Network traffic detected: HTTP traffic on port 54875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55162
Source: unknown	Network traffic detected: HTTP traffic on port 54886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54872
Source: unknown	Network traffic detected: HTTP traffic on port 54878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54871
Source: unknown	Network traffic detected: HTTP traffic on port 54874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54876
Source: unknown	Network traffic detected: HTTP traffic on port 54871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54880
Source: unknown	Network traffic detected: HTTP traffic on port 54906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54882
Source: unknown	Network traffic detected: HTTP traffic on port 54856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54888
Source: unknown	Network traffic detected: HTTP traffic on port 54870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54886
Source: unknown	Network traffic detected: HTTP traffic on port 55162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54880 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e4fbc742-bebd-480e-873e-d4404770e5be.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e4fbc742-bebd-480e-873e-d4404770e5be.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre