Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542949
MD5:	c66a0b6df999e2408e0f15fad285b788
SHA1:	6f052624cdb8dcca2ab520a885e24e14e1661702
SHA256:	b750e2562f536abd306ec880169bbe02dba51e3b6801c0da3c51d3e4efd4d86e
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C66A0B6DF999E2408E0F15FAD285B788)

taskkill.exe (PID: 7340 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7436 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7500 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7564 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7628 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7692 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7724 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7740 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae33e5d-6f66-4269-9aad-bb5beef63bd6} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fd896ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7380 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4108 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4204 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a678e984-104c-431b-8a00-cf9919c7d1e3} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fe8b54c10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96dff99a-b4b2-4052-8a9a-312eb0d9a788} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19ff1e6c310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7324	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_004BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1693428995.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1a22f6ab-8
Source: file.exe, 00000000.00000000.1693428995.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6afb8b72-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_acb2aeaf-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f4a9b74f-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6C8737 NtQuerySystemInformation,		16_2_000002753E6C8737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6F9AF2 NtQuerySystemInformation,		16_2_000002753E6F9AF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044BF40	0_2_0044BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B2046	0_2_004B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448060	0_2_00448060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8298	0_2_004A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047E4FF	0_2_0047E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047676B	0_2_0047676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4873	0_2_004D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044CAF0	0_2_0044CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046CAA0	0_2_0046CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045CC39	0_2_0045CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476DD9	0_2_00476DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045B119	0_2_0045B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004491C0	0_2_004491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461394	0_2_00461394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461706	0_2_00461706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046781B	0_2_0046781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045997D	0_2_0045997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00447920	0_2_00447920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004619B0	0_2_004619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467A4A	0_2_00467A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461C77	0_2_00461C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467CA7	0_2_00467CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CBE44	0_2_004CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479EEE	0_2_00479EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461F32	0_2_00461F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6C8737	16_2_000002753E6C8737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6F9AF2	16_2_000002753E6F9AF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6FA21C	16_2_000002753E6FA21C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002753E6F9B32	16_2_000002753E6F9B32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0045F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00460A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B37B5 GetLastError,FormatMessageW,

0_2_004B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A10BF AdjustTokenPrivileges,CloseHandle,		0_2_004A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1825101175.0000019FF1E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1825663513.0000019FF12F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae33e5d-6f66-4269-9aad-bb5beef63bd6} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fd896ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4108 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4204 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a678e984-104c-431b-8a00-cf9919c7d1e3} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fe8b54c10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96dff99a-b4b2-4052-8a9a-312eb0d9a788} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19ff1e6c310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae33e5d-6f66-4269-9aad-bb5beef63bd6} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fd896ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4108 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4204 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a678e984-104c-431b-8a00-cf9919c7d1e3} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fe8b54c10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96dff99a-b4b2-4052-8a9a-312eb0d9a788} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19ff1e6c310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernel32.pdb source: firefox.exe, 0000000D.00000003.1824143106.0000019FF50CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1836737118.0000019FE80C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1835315430.0000019FE80C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1836737118.0000019FE80C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ucrtbase.pdb source: firefox.exe, 0000000D.00000003.1824143106.0000019FF50CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1824143106.0000019FF50CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbglean_internal_info#events#start source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8kernelbase.pdb source: firefox.exe, 0000000D.00000003.1824143106.0000019FF50CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1824143106.0000019FF50CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1835315430.0000019FE80C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1824864690.0000019FF50A7000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460A76 push ecx; ret

0_2_00460A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0045F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94422

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002753E6C8737 rdtsc

16_2_000002753E6C8737

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B68EE FindFirstFileW,FindClose,	0_2_004B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: firefox.exe, 0000000F.00000002.2956332276.000001DB6DA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: firefox.exe, 0000000F.00000002.2956332276.000001DB6DA00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2949776980.000001DB6D4DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2947458720.000002753E3DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954884590.000002753ED60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2953867123.0000022C75600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2948696921.0000022C7528A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2955330425.000001DB6D91A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2954884590.000002753ED71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJF
Source: firefox.exe, 0000000F.00000002.2956332276.000001DB6DA00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954884590.000002753ED71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002753E6C8737 rdtsc

16_2_000002753E6C8737

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BEAA2 BlockInput,

0_2_004BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00472622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00464CE8 mov eax, dword ptr fs:[00000030h]

0_2_00464CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00472622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0046083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004609D5 SetUnhandledExceptionFilter,	0_2_004609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00460C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00460C21

Source: C:\Users\user\Desktop\file.exe

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00482BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00482BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AB226 SendInput,keybd_event,

0_2_004AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1819221503.0000019FF4B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460698 cpuid

0_2_00460698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0049D27A GetUserNameW,

0_2_0049D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0047BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_004C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.16.206	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000002.2950433482.000002753E7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C755C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1910538024.0000019FE8C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.come	firefox.exe, 0000000D.00000003.1851831536.0000019FF0BB5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1899086671.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831216586.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909608344.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2950583547.000001DB6D7C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954202566.0000022C75703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1772965416.0000019FF0740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1771198353.0000019FF0749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777717791.0000019FF0746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848632978.0000019FF0746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1770708901.0000019FF0749000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2950433482.000002753E786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C7558F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1826771322.0000019FF0C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781755041.0000019FF0C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1781755041.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774547841.0000019FF0CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891356966.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825927334.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1900684036.0000019FF0662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900202732.0000019FF4ADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894094805.0000019FF0662000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1879643113.0000019FF1CC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909934489.0000019FEA5E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832355072.0000019FEA5E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903213821.0000019FEA5E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1737745885.0000019FE851F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738103599.0000019FE853C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737280426.0000019FE8300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740339805.0000019FE8577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1739254147.0000019FE855A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1894094805.0000019FF064D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1732801413.0000019FE4A13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732801413.0000019FE4A2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1783144462.0000019FF0A77000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1900856793.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828563083.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1737745885.0000019FE851F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738103599.0000019FE853C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737280426.0000019FE8300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740339805.0000019FE8577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1739254147.0000019FE855A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1828563083.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828387741.0000019FEC1D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1781755041.0000019FF0C4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1826771322.0000019FF0C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781755041.0000019FF0C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2950583547.000001DB6D7C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954202566.0000022C75703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing	firefox.exe, 0000000D.00000003.1732801413.0000019FE4A13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732801413.0000019FE4A2C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1893020692.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1879643113.0000019FF1C62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2950583547.000001DB6D7C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954202566.0000022C75703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1906874457.0000019FE9AF6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1803614938.0000019FE983E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804529813.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1825927334.0000019FF0C78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781755041.0000019FF0C7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1781755041.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774547841.0000019FF0CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891356966.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825927334.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000002.2950433482.000002753E7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C755C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1827973286.0000019FF05A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1803680656.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1803651092.0000019FE9830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804529813.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1880708794.0000019FE9E10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880409217.0000019FE9E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1898760229.0000019FEA7BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1879643113.0000019FF1CBE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1732801413.0000019FE4A2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1895467500.0000019FEC1A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828448920.0000019FEC1A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898306932.0000019FEC1A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C75513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1781755041.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774547841.0000019FF0CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891356966.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825927334.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1831216586.0000019FEA744000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1894094805.0000019FF064D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1906874457.0000019FE9A35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1803651092.0000019FE9830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804529813.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1749754106.0000019FE89E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870929033.0000019FEA39D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778337486.0000019FF07BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773024289.0000019FF07BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831751528.0000019FEA6F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773024289.0000019FF07CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842772748.0000019FE89D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848632978.0000019FF07CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848025256.0000019FEA2A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747530685.0000019FE925C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796743618.0000019FEA4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887849193.0000019FE9E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798264442.0000019FEA398000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842772748.0000019FE89D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800793688.0000019FEA2A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900856793.0000019FEBC5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910718781.0000019FE8BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801782868.0000019FEA398000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828563083.0000019FEBC45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839943912.0000019FEBF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794579351.0000019FEA399000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1900856793.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828563083.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1829252269.0000019FEB1C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900856793.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828563083.0000019FEBC6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894094805.0000019FF064D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1827832429.0000019FF06A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825101175.0000019FF1E51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906874457.0000019FE9AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1827832429.0000019FF06A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825101175.0000019FF1E51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906874457.0000019FE9AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1906874457.0000019FE9A35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1772965416.0000019FF0740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1771198353.0000019FF0749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777717791.0000019FF0746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848632978.0000019FF0746000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1827079792.0000019FF0879000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893020692.0000019FF087E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1777166359.0000019FE8E66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892680904.0000019FF0A39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1732801413.0000019FE4A13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732801413.0000019FE4A2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1825927334.0000019FF0CF4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1743763158.0000019FE6C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1745707365.0000019FE6C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861768504.0000019FE6C39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1803651092.0000019FE9830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804529813.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1902318070.0000019FEA69E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831978573.0000019FEA69E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1828563083.0000019FEBC77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900856793.0000019FEBC77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1803680656.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1803714067.0000019FE9824000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1803614938.0000019FE983E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804458054.0000019FE9849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804529813.0000019FE982A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1803782225.0000019FE9847000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1743763158.0000019FE6C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1745707365.0000019FE6C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861768504.0000019FE6C39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2950583547.000001DB6D7C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954202566.0000022C75703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1893020692.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1781755041.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774547841.0000019FF0CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891356966.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825927334.0000019FF0C9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1825101175.0000019FF1E29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825637646.0000019FF1E20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897163216.0000019FF1E27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2954766701.000001DB6D800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2948693495.000002753E640000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2949051966.0000022C752C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.206	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542949
Start date and time:	2024-10-26 23:39:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.13.186.250, 44.231.229.39, 34.208.54.237, 172.217.18.10, 142.250.186.74, 2.22.61.56, 2.22.61.59, 142.250.184.206, 216.58.206.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:40:12	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	kkkmpsl.elf	Get hash	malicious	Unknown	Browse	57.237.235.6
	kkkarm.elf	Get hash	malicious	Unknown	Browse	32.17.43.218
	kkkx86.elf	Get hash	malicious	Unknown	Browse	48.99.4.215

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_033fe187-7343-4f61-9672-73623c6f30c3.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183311363284421
Encrypted:	false
SSDEEP:	192:ojMX9JKcbhbVbTbfbRbObtbyEl7n3rlJA6WnSrDtTUd/SkDrDs:oYicNhnzFSJXrgBnSrDhUd/S
MD5:	AFB2C8558EA914E5B315B97360C5EF53
SHA1:	D791A3C76F77E2FFDCB793A1619BA13280E7078C
SHA-256:	4285D4D50AC6E590820FD03C6DFCA8633F959FE05150DB491A137D1355E0D061
SHA-512:	99565155F527900A28B601BDB8EE0872C1DB2B8C90ED0591DF49393BACFF61D97D688566C0A983627091913572CE687A6AEB783A7EC946BA502866A0B0F5F297
Malicious:	false
Preview:	{"type":"uninstall","id":"033fe187-7343-4f61-9672-73623c6f30c3","creationDate":"2024-10-26T22:50:52.149Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_033fe187-7343-4f61-9672-73623c6f30c3.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183311363284421
Encrypted:	false
SSDEEP:	192:ojMX9JKcbhbVbTbfbRbObtbyEl7n3rlJA6WnSrDtTUd/SkDrDs:oYicNhnzFSJXrgBnSrDhUd/S
MD5:	AFB2C8558EA914E5B315B97360C5EF53
SHA1:	D791A3C76F77E2FFDCB793A1619BA13280E7078C
SHA-256:	4285D4D50AC6E590820FD03C6DFCA8633F959FE05150DB491A137D1355E0D061
SHA-512:	99565155F527900A28B601BDB8EE0872C1DB2B8C90ED0591DF49393BACFF61D97D688566C0A983627091913572CE687A6AEB783A7EC946BA502866A0B0F5F297
Malicious:	false
Preview:	{"type":"uninstall","id":"033fe187-7343-4f61-9672-73623c6f30c3","creationDate":"2024-10-26T22:50:52.149Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929697871651908
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL+y58P:8S+OBIUjOdwiOdYVjjwL+y58P
MD5:	55257E6511247647C116FCDE75A60C8A
SHA1:	80220D673D0DF1533916413E01A68126A556B36B
SHA-256:	3669A8224FA2DE162398D920DFABF1B11ADA842E7696CE84648AAE84BCB1BF25
SHA-512:	54558A6EE45F425E79BDA3986000A3BC85F051508793457EC1FCFCC9475300815BD80366E4561E91BA48B6C716047EFCCF0D72500E3B4E35B8AB158F4EC0417E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929697871651908
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL+y58P:8S+OBIUjOdwiOdYVjjwL+y58P
MD5:	55257E6511247647C116FCDE75A60C8A
SHA1:	80220D673D0DF1533916413E01A68126A556B36B
SHA-256:	3669A8224FA2DE162398D920DFABF1B11ADA842E7696CE84648AAE84BCB1BF25
SHA-512:	54558A6EE45F425E79BDA3986000A3BC85F051508793457EC1FCFCC9475300815BD80366E4561E91BA48B6C716047EFCCF0D72500E3B4E35B8AB158F4EC0417E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiot:DLhesh7Owd4+ji
MD5:	A8C09EA32DD4F0BB1736B16EC73E81B1
SHA1:	158F2DCFD523EA7221EE1913723A03F1A1157977
SHA-256:	065A18E6EE221CFAE65F84AFC206DD0A100A7E5A499383D870F57CF0294A0560
SHA-512:	4C06417F27F200FBBD525D3A6D7EFDAAB1C7C9A64F54D3F40F2886F49C9762E5CB7935885B9D75B2B0BA32E62171AE0E8B94277EE9E52A8B8B92BDBECC0E7DDC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFUhE7syh4rhI/3lstFUhE7syh4rrlx89//alEl:GtWtWsT8hIPWtWsT8rD89XuM
MD5:	4C977B10A4978DD7BED7BFDA1FC2922F
SHA1:	FAE280898043E3F76DB4DEA9B8C32C2DC5B4F775
SHA-256:	5EA9973D461E55A6384CB3AEF98E41A2C822FD1D3FDDAA6F2B6E2616DF14EFFB
SHA-512:	8562C95F880BBD6FC8072BBF990880B1EA161351CA35B9C7DB32A04CF24096AFCC9E699141F7EA3F308C35922CC7DA1DE9D2478F918A68762347AA09A73CE142
Malicious:	false
Preview:	..-.....................C...z6.......'...['.z....-.....................C...z6.......'...['.z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03995818625313585
Encrypted:	false
SSDEEP:	3:Ol1GwN1t4NCQlIf7l8rEXsxdwhml8XW3R2:Kdu0l8dMhm93w
MD5:	8D42277129D5E811EB5EFF6E7DDF80FD
SHA1:	70D55A9CA23934A39B2833154E128D9CE9906FF5
SHA-256:	93FF74F1259834CD673031ECFB11ADC5D037EC21DF9D301102270748D5CB7DE9
SHA-512:	72CAD81606304BBF98941FD4BF04F2747C589CFA81CA52DC7DC0EDFF5BF25290FF37C4007F005FB747E9BC9462C41BF94CE2B39527DDCEBF76E7A9E5AE48AAE8
Malicious:	false
Preview:	7....-...............'.....^n..............'....C..6z................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495292259265804
Encrypted:	false
SSDEEP:	192:0naRtLYbBp6thj4qyaaXj6KrmN+qE5RfGNBw8dPSl:JeDqlgiwcwY0
MD5:	42FC4B68F9F55D7D158A114AF9B1B2EE
SHA1:	D8343099FEF81375D41353349CC3448EF81EC2AC
SHA-256:	3BFE1D408293CFF0874C8DC445557728FC1B538E8365EFD889ED3B10D28EA8AA
SHA-512:	6140E75F3659B7270331341B0B3F022D35FD41EA9D58206648B4BAA23619720ED7F3B3E83D230FA6882C1ED37BE99AA95C1E6488CE12080B6B74B72127EEFD7A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729983023);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729983023);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729983023);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172998

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495292259265804
Encrypted:	false
SSDEEP:	192:0naRtLYbBp6thj4qyaaXj6KrmN+qE5RfGNBw8dPSl:JeDqlgiwcwY0
MD5:	42FC4B68F9F55D7D158A114AF9B1B2EE
SHA1:	D8343099FEF81375D41353349CC3448EF81EC2AC
SHA-256:	3BFE1D408293CFF0874C8DC445557728FC1B538E8365EFD889ED3B10D28EA8AA
SHA-512:	6140E75F3659B7270331341B0B3F022D35FD41EA9D58206648B4BAA23619720ED7F3B3E83D230FA6882C1ED37BE99AA95C1E6488CE12080B6B74B72127EEFD7A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729983023);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729983023);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729983023);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172998

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.329681400302313
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRH2LXnIgs/pnxQwRlszT5sKt0N3eHVQj6TqamhujJlOsIomNVr0ay:GUpOxFMnR6s3eHTq4JlIquR4
MD5:	0BACC79C225E97C46BFF8B4323424091
SHA1:	DD821DB5CCEE476DB9115F1E5F2850D32580030C
SHA-256:	0E13086800D458665892601A51E0DA1B37043C946F253DCAACF1592399F12C81
SHA-512:	0563A0D07E0109877A2DC8831F728334C4F3B7EEAAAB61F292B9A06FA8474C9BD3C054845093196EC3E0A34350D7019A1B64D2D5F80F67639468A1A5C732DFAD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5ae3da55-05cc-45e7-8be1-a25cc8b2e22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729983026635,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29919...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..dexpiry......931,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.329681400302313
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRH2LXnIgs/pnxQwRlszT5sKt0N3eHVQj6TqamhujJlOsIomNVr0ay:GUpOxFMnR6s3eHTq4JlIquR4
MD5:	0BACC79C225E97C46BFF8B4323424091
SHA1:	DD821DB5CCEE476DB9115F1E5F2850D32580030C
SHA-256:	0E13086800D458665892601A51E0DA1B37043C946F253DCAACF1592399F12C81
SHA-512:	0563A0D07E0109877A2DC8831F728334C4F3B7EEAAAB61F292B9A06FA8474C9BD3C054845093196EC3E0A34350D7019A1B64D2D5F80F67639468A1A5C732DFAD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5ae3da55-05cc-45e7-8be1-a25cc8b2e22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729983026635,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29919...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..dexpiry......931,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.329681400302313
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRH2LXnIgs/pnxQwRlszT5sKt0N3eHVQj6TqamhujJlOsIomNVr0ay:GUpOxFMnR6s3eHTq4JlIquR4
MD5:	0BACC79C225E97C46BFF8B4323424091
SHA1:	DD821DB5CCEE476DB9115F1E5F2850D32580030C
SHA-256:	0E13086800D458665892601A51E0DA1B37043C946F253DCAACF1592399F12C81
SHA-512:	0563A0D07E0109877A2DC8831F728334C4F3B7EEAAAB61F292B9A06FA8474C9BD3C054845093196EC3E0A34350D7019A1B64D2D5F80F67639468A1A5C732DFAD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5ae3da55-05cc-45e7-8be1-a25cc8b2e22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729983026635,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29919...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..dexpiry......931,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033618082867054
Encrypted:	false
SSDEEP:	48:YrSAYfq6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycCyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	6BBEFFA9E123453E433B89873E379A03
SHA1:	B129A0B153B886B5FF5A035A2FEFECB1FE1FD458
SHA-256:	4D5F7E71417126B5E3E55982597CCAC274F6AE48E62054EFE934E5335E4ED63C
SHA-512:	27C42815166B9DE321149D07C047DF2CC1C3664B720F311BCAD350F8F751852B7B3AD0363E7A8CBB6FD4F0A8A4EDACC09331ED789D5EF5CFA351A26FDC5807D2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T22:50:07.516Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033618082867054
Encrypted:	false
SSDEEP:	48:YrSAYfq6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycCyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	6BBEFFA9E123453E433B89873E379A03
SHA1:	B129A0B153B886B5FF5A035A2FEFECB1FE1FD458
SHA-256:	4D5F7E71417126B5E3E55982597CCAC274F6AE48E62054EFE934E5335E4ED63C
SHA-512:	27C42815166B9DE321149D07C047DF2CC1C3664B720F311BCAD350F8F751852B7B3AD0363E7A8CBB6FD4F0A8A4EDACC09331ED789D5EF5CFA351A26FDC5807D2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T22:50:07.516Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584693371988533
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	c66a0b6df999e2408e0f15fad285b788
SHA1:	6f052624cdb8dcca2ab520a885e24e14e1661702
SHA256:	b750e2562f536abd306ec880169bbe02dba51e3b6801c0da3c51d3e4efd4d86e
SHA512:	1f54e3bf477654f6c7250a4cbda80f0c1ac158ed1006c5be430e30fe7f5f36a75e59d7dfdbf40272d9482d95f2c3f48dddcfa948ff01cb78eda121d010235fbb
SSDEEP:	12288:qqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TA:qqDEvCTbMWu7rQYlBQcBiT6rprG8abA
TLSH:	24159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671D60DF [Sat Oct 26 21:36:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F29D0852723h
jmp 00007F29D085202Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29D085220Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29D08521DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F29D0854DCDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F29D0854E18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F29D0854E01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	4d72a59cdab91a811e3021e09d8fdfb4	False	0.31561511075949367	data	5.37382071536845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 23:40:08.673969030 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:08.674068928 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:08.674302101 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:08.681585073 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:08.681626081 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:09.311927080 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:09.312007904 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:09.319255114 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:09.319294930 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:09.319397926 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:09.319654942 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:09.319875956 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:10.475528955 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.475570917 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:10.475728989 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.477227926 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.477256060 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:10.625463963 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.625560045 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:10.635986090 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.637523890 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:10.637561083 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:10.637864113 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:10.643785000 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:10.651806116 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:10.652149916 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:10.657829046 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:10.906488895 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.906572104 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:10.918535948 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.920222998 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.920260906 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:10.927982092 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.928066015 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:10.928533077 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.929982901 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:10.930022001 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:10.960406065 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:10.960484982 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:10.960654020 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:10.960771084 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:10.960793972 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:11.261354923 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.306900024 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.316764116 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.316837072 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.317044973 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.317187071 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.317209005 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.334858894 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.340648890 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.340724945 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.340847015 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.347841978 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.357837915 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.357912064 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.358841896 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.358899117 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.362945080 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.362962961 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.363018036 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.363173008 CEST	443	49738	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.363262892 CEST	49738	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.523739100 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.523772001 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.525671005 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.526808977 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.529844999 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.533349991 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.533369064 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.533436060 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.533768892 CEST	443	49739	172.217.16.206	192.168.2.4
Oct 26, 2024 23:40:11.533827066 CEST	49739	443	192.168.2.4	172.217.16.206
Oct 26, 2024 23:40:11.543288946 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.543308020 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.543395996 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.547756910 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.547815084 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.547842979 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.548065901 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.548121929 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.577291965 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.577482939 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.582200050 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.582228899 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.582288027 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.582602024 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.582644939 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.582720995 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.582982063 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.583036900 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.584151030 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:11.584170103 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:11.587986946 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:11.588169098 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:11.591223955 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:11.591253042 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:11.591605902 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:11.598031998 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:11.598098993 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:11.598216057 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:11.598402977 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:11.640633106 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.646768093 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.646939993 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.940080881 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.940551043 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.941530943 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.946506023 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:11.949182987 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:11.949201107 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.952141047 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.952186108 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.952615976 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.954680920 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.954772949 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.954905033 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.955111980 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.955178976 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:11.955187082 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.955415010 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.955590963 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:11.955621958 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.036901951 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.043965101 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:12.044047117 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.044187069 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.052073002 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:12.215643883 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:12.215718985 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.219971895 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.219989061 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:12.220053911 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.220191002 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:12.220654964 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.570085049 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.570261955 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.573402882 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.573436022 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.573853016 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.578061104 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.578135967 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.578284025 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.583332062 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 23:40:12.590645075 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.590696096 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.590696096 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 23:40:12.642996073 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:12.709778070 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.842921972 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.843022108 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:12.843857050 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.845511913 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.846952915 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:12.846995115 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:12.849366903 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:12.849503040 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.849606037 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:12.855156898 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.014837027 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:13.020296097 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.141207933 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.210335016 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:13.449492931 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.465626001 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:13.465718031 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.470633984 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.470684052 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:13.470737934 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.471004963 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:13.471065044 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.471107006 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.471204042 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:13.471296072 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.472688913 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:13.472727060 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:13.510008097 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:13.630095005 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:13.635865927 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.755650997 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:13.810904026 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.033122063 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.033190012 CEST	443	49755	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:14.034082890 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.035486937 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.035521030 CEST	443	49755	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:14.085844994 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.085879087 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.089613914 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.089900017 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.089914083 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.095331907 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:14.107373953 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:14.107403040 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:14.111763954 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:14.123326063 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.123337984 CEST	443	49757	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:14.123482943 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.123567104 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.125157118 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:14.125189066 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:14.125241041 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:14.125427008 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.125442028 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.125729084 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 26, 2024 23:40:14.126764059 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.126780987 CEST	443	49757	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:14.127377033 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 26, 2024 23:40:14.128197908 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.128238916 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.348946095 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.354788065 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.474456072 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.477905035 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.483570099 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.524312019 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.603590012 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.646256924 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.664736032 CEST	443	49755	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:14.671093941 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.675160885 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.675184011 CEST	443	49755	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:14.675234079 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.675913095 CEST	443	49755	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:14.677639008 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.683577061 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.685636997 CEST	49755	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:14.696799040 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.696933031 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.699243069 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.699250937 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.699482918 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.729715109 CEST	443	49757	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:14.730498075 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.740480900 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.743731022 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.743818045 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.758033037 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.758095980 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.758184910 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:14.759753942 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:14.760885954 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.760931015 CEST	443	49757	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:14.760947943 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.761132002 CEST	443	49757	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:14.763189077 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.763232946 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.763262033 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.763550997 CEST	49757	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:14.763792038 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.764610052 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.803162098 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.856338978 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.886112928 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.887232065 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:14.891494036 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.892714024 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:14.979594946 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.979634047 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.982080936 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.982109070 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.988060951 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.988126993 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.988487005 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.988503933 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:14.988611937 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:14.988620043 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:15.011409044 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:15.011888981 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:15.019639969 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:15.019695997 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:15.019912004 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:15.024435997 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:15.024468899 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:15.060679913 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:15.060832024 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:15.100672007 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:15.109648943 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:15.230627060 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:15.282304049 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:16.431135893 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.431171894 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.431320906 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.432135105 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.432205915 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.435292959 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.435359001 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.820929050 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.820955992 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.821954012 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.823565960 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.823596001 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.824615955 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.828046083 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828214884 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828289032 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828321934 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.828362942 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828432083 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828464031 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.828486919 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.828758955 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.828773022 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:16.829036951 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.829066038 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.829077959 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.829080105 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:16.829080105 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:21.725955963 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:21.764014006 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:21.878082991 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:21.923360109 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:22.383738995 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:22.383780003 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:22.385041952 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:22.386388063 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:22.386415958 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:22.487206936 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:22.487236977 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:22.487333059 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:22.492789030 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:22.492835999 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:22.494712114 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:22.494736910 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:22.612953901 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:22.653762102 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:23.010840893 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:23.011666059 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:23.101021051 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:23.101896048 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:23.208398104 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:23.208437920 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:23.208513021 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:23.208679914 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:23.208694935 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:23.208754063 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:23.208843946 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 23:40:23.209359884 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:23.211575031 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:40:23.211606026 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:23.566380024 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:23.571789026 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:23.692436934 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:23.741365910 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:24.474968910 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:24.480437040 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:24.600860119 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:24.645159960 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:33.701813936 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:33.707523108 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:33.759407997 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:33.759522915 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:33.759717941 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:33.760874987 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:33.760910034 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:34.374634981 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:34.383332968 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:34.388092995 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:34.392025948 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:34.392050982 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:34.392118931 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:34.392467976 CEST	443	49770	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:34.402219057 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:34.403688908 CEST	49770	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:34.407860994 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:34.527502060 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:34.558001995 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:34.563499928 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:34.588850021 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:34.683736086 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:34.735785007 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:35.466903925 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:35.472397089 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:35.592644930 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:35.595041037 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:35.600380898 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:35.638530016 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:35.720444918 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:35.760869026 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:37.882707119 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:37.882793903 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:37.883368015 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:37.883400917 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:37.891858101 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:37.892878056 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:37.898268938 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:37.898304939 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:37.899544001 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:37.899558067 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:37.899769068 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:37.899802923 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:37.899894953 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:37.899996996 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:37.900760889 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:37.900770903 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:37.900892973 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:37.900903940 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:37.901074886 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:37.901128054 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:37.904921055 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:37.905004978 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:37.913692951 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:37.915668011 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:37.915698051 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:38.506630898 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:38.506736994 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:38.511221886 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:38.511255026 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:38.511571884 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:38.514280081 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:38.514419079 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:38.514476061 CEST	443	49775	151.101.129.91	192.168.2.4
Oct 26, 2024 23:40:38.515779972 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:38.515794992 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:38.516678095 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.520540953 CEST	49775	443	192.168.2.4	151.101.129.91
Oct 26, 2024 23:40:38.520585060 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:38.521919966 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.521964073 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.522067070 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.524897099 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.524924994 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.525952101 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.526007891 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.526096106 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.526819944 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.526869059 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.527070045 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.527096033 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.529562950 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.529580116 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.529901981 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.530158997 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.530469894 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.530550003 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.530791998 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.530802965 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.531898975 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.531980991 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.532514095 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:38.532526970 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:38.532589912 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:38.532866001 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.532915115 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.532989979 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 26, 2024 23:40:38.533502102 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.533535957 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 26, 2024 23:40:38.533544064 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.533576965 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.533965111 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:38.534002066 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:38.535408020 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.535486937 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.535861969 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.535972118 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:38.535995960 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:38.536037922 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.536062956 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:38.537755013 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:38.540936947 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:38.540978909 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:38.541035891 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:38.541121006 CEST	443	49776	35.201.103.21	192.168.2.4
Oct 26, 2024 23:40:38.541387081 CEST	49776	443	192.168.2.4	35.201.103.21
Oct 26, 2024 23:40:38.543212891 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:38.552824974 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.552905083 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.553004980 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.553122044 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:38.553143978 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:38.663142920 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:38.680344105 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:38.685774088 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:38.730725050 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:38.809340000 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:38.862262964 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:39.147097111 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.147180080 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.148080111 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.149823904 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.149847984 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.150213957 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.150788069 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.153043032 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.153072119 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.153326035 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.154906034 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.154974937 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.155185938 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.156348944 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.156418085 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.156539917 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.156621933 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.156814098 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.156855106 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.156855106 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.159532070 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.159544945 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.159878969 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.161753893 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.161853075 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.161936998 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 26, 2024 23:40:39.163149118 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.163149118 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 26, 2024 23:40:39.166477919 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:39.170820951 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:39.171945095 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:39.175364971 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:39.176392078 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:39.179624081 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:39.179636955 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:39.180073023 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:39.188925982 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:39.188925982 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:39.189991951 CEST	443	49780	34.149.100.209	192.168.2.4
Oct 26, 2024 23:40:39.190217018 CEST	49780	443	192.168.2.4	34.149.100.209
Oct 26, 2024 23:40:39.291997910 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:39.297729969 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:39.303379059 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:39.344204903 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:39.423391104 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:39.464088917 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:49.298640966 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:49.304153919 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:49.430155039 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:49.435790062 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:54.509692907 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:54.509778976 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:54.509934902 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:54.511250973 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:54.511290073 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:55.160449028 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:55.160537004 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:55.164669037 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:55.164694071 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:55.164741993 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:55.165141106 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 26, 2024 23:40:55.165350914 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:40:55.167224884 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:55.172700882 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:55.292929888 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:55.295653105 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:55.301419020 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:55.339927912 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:40:55.422055006 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:40:55.471307039 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:05.304228067 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:05.309539080 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:05.442461014 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:05.447910070 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:07.099939108 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100017071 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.100186110 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100260973 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100271940 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.100420952 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100454092 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.100526094 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100625992 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.100645065 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.114526033 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.114605904 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.114944935 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.114944935 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.115082026 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.709017038 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.709544897 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.712866068 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.712888956 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.713737011 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.715734005 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.715811968 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.715922117 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.723331928 CEST	443	49823	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.724827051 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.724828005 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.724828005 CEST	49823	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.725342035 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.725425005 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.728605032 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.728657961 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.729079008 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.731009960 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.731120110 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.731225967 CEST	443	49824	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.736360073 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.736360073 CEST	49824	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.737108946 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:07.743122101 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:07.758831024 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.763427973 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.764427900 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.767350912 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.767402887 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.768511057 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.769750118 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.769820929 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.770386934 CEST	443	49826	34.120.208.123	192.168.2.4
Oct 26, 2024 23:41:07.773152113 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.773152113 CEST	49826	443	192.168.2.4	34.120.208.123
Oct 26, 2024 23:41:07.863151073 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:07.911427975 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:07.923377991 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:07.929421902 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:08.049254894 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:08.105103016 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:17.879508972 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:17.885437012 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:18.057921886 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:18.063539028 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:27.886523962 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:27.892371893 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:28.071624041 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:28.077523947 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:35.303180933 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:35.303210020 CEST	443	49983	34.107.243.93	192.168.2.4
Oct 26, 2024 23:41:35.303499937 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:35.304924965 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:35.304935932 CEST	443	49983	34.107.243.93	192.168.2.4
Oct 26, 2024 23:41:36.007095098 CEST	443	49983	34.107.243.93	192.168.2.4
Oct 26, 2024 23:41:36.007306099 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:36.011065960 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:36.011065960 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:36.011095047 CEST	443	49983	34.107.243.93	192.168.2.4
Oct 26, 2024 23:41:36.011306047 CEST	443	49983	34.107.243.93	192.168.2.4
Oct 26, 2024 23:41:36.011763096 CEST	49983	443	192.168.2.4	34.107.243.93
Oct 26, 2024 23:41:36.013216019 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:36.018660069 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:36.137919903 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:36.142772913 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:36.148123980 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:36.178777933 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:36.269834995 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:36.310432911 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:46.138617992 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:46.144582033 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:46.282761097 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:46.288815975 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:56.157533884 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:56.163420916 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:41:56.295686007 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:41:56.301551104 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 23:42:06.183378935 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:42:06.192698956 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 26, 2024 23:42:06.304609060 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 23:42:06.316709042 CEST	80	49752	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 23:40:08.712531090 CEST	53622	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:08.721683979 CEST	53	53622	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:08.723926067 CEST	49305	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:08.732815027 CEST	53	49305	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.463373899 CEST	58371	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.472076893 CEST	53	58371	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.475665092 CEST	52291	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.483954906 CEST	53	52291	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.484483957 CEST	53965	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.492675066 CEST	53	53965	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.599863052 CEST	55283	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.608556986 CEST	62991	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.616646051 CEST	53	62991	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.619968891 CEST	63643	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.627537966 CEST	53	63643	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.893573046 CEST	54901	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.902093887 CEST	53	54901	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.907000065 CEST	50402	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.912731886 CEST	52571	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.916560888 CEST	53	50402	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.920706987 CEST	62884	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.921088934 CEST	53	52571	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.928266048 CEST	53	62884	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.928272963 CEST	55283	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.936506987 CEST	53	55283	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.945843935 CEST	51174	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.955118895 CEST	53	51174	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.960603952 CEST	62899	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.968820095 CEST	53	62899	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:10.974524975 CEST	49827	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:10.982842922 CEST	53	49827	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:11.296744108 CEST	57305	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.297029018 CEST	51123	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.302598953 CEST	63350	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.304167032 CEST	53	57305	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:11.304611921 CEST	53	51123	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:11.310704947 CEST	53	63350	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:11.316863060 CEST	63092	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.325306892 CEST	53	63092	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:11.325826883 CEST	53704	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.326790094 CEST	54887	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:11.333796024 CEST	53	53704	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:13.837424040 CEST	59040	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:13.875971079 CEST	53	52170	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:13.918972969 CEST	49589	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:13.926090956 CEST	53	49589	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:13.927018881 CEST	64272	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:13.934614897 CEST	53	64272	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:13.935075998 CEST	55663	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:13.942888021 CEST	53	55663	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.084472895 CEST	53929	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.092008114 CEST	53	53929	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.123809099 CEST	51299	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.124093056 CEST	55346	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.131433010 CEST	53	55346	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.131464958 CEST	53	51299	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.134576082 CEST	54857	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.134949923 CEST	50073	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.141952038 CEST	53	54857	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.142734051 CEST	53	50073	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.880357027 CEST	50157	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.888366938 CEST	53	50157	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.892168045 CEST	63462	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.899908066 CEST	53	63462	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:14.904165030 CEST	59546	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:14.913104057 CEST	53	59546	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.027950048 CEST	49832	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.027985096 CEST	54203	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.028255939 CEST	49800	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.035412073 CEST	53	49832	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.036055088 CEST	53	49800	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.036091089 CEST	53	54203	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.036102057 CEST	62884	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.036809921 CEST	50724	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.037182093 CEST	64262	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.043426037 CEST	53	62884	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.044759989 CEST	53	50724	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.044814110 CEST	53	64262	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.049952984 CEST	63152	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.059120893 CEST	53	63152	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.061274052 CEST	64027	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.061539888 CEST	53375	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.068249941 CEST	59788	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.069401979 CEST	53	64027	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.069685936 CEST	53	53375	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.070770025 CEST	51597	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.077825069 CEST	53	51597	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.078036070 CEST	53	59788	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.078334093 CEST	55618	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.078830957 CEST	59528	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.086064100 CEST	53	55618	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.086554050 CEST	53	59528	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.086963892 CEST	56157	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.087090015 CEST	59751	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.094655037 CEST	53	56157	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.095355988 CEST	53	59751	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:21.727355957 CEST	51284	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:21.764029980 CEST	53	51284	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:22.486287117 CEST	60011	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:22.493972063 CEST	53	60011	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:33.759874105 CEST	60097	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:33.767591953 CEST	53	60097	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.877222061 CEST	57665	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.877489090 CEST	58809	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.885449886 CEST	53	58809	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.885580063 CEST	53	57665	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.891436100 CEST	61104	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.892870903 CEST	59479	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.893606901 CEST	60917	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.901402950 CEST	53	61104	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.902436972 CEST	53	59479	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.903367043 CEST	53	60917	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.904028893 CEST	52075	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.905546904 CEST	57148	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.911973000 CEST	53	52075	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.917244911 CEST	53	57148	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:37.924721956 CEST	58496	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:37.932724953 CEST	53	58496	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:54.500863075 CEST	51936	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:54.508816957 CEST	53	51936	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:54.509718895 CEST	49399	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:40:54.517288923 CEST	53	49399	1.1.1.1	192.168.2.4
Oct 26, 2024 23:40:55.167412043 CEST	51672	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:41:07.111565113 CEST	53351	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:41:07.120814085 CEST	53	53351	1.1.1.1	192.168.2.4
Oct 26, 2024 23:41:35.294333935 CEST	55916	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:41:35.302150965 CEST	53	55916	1.1.1.1	192.168.2.4
Oct 26, 2024 23:41:35.302999020 CEST	54606	53	192.168.2.4	1.1.1.1
Oct 26, 2024 23:41:35.310616016 CEST	53	54606	1.1.1.1	192.168.2.4
Oct 26, 2024 23:41:36.013355017 CEST	55845	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 23:40:08.712531090 CEST	192.168.2.4	1.1.1.1	0x5527	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:08.723926067 CEST	192.168.2.4	1.1.1.1	0x9bb0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:10.463373899 CEST	192.168.2.4	1.1.1.1	0x7bba	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.475665092 CEST	192.168.2.4	1.1.1.1	0xe498	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.484483957 CEST	192.168.2.4	1.1.1.1	0x339f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:10.599863052 CEST	192.168.2.4	1.1.1.1	0xe6dc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.608556986 CEST	192.168.2.4	1.1.1.1	0xdfa	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.619968891 CEST	192.168.2.4	1.1.1.1	0x11ae	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:10.893573046 CEST	192.168.2.4	1.1.1.1	0xb7f0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.907000065 CEST	192.168.2.4	1.1.1.1	0x8aaf	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.912731886 CEST	192.168.2.4	1.1.1.1	0x1089	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.920706987 CEST	192.168.2.4	1.1.1.1	0x9bab	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:10.928272963 CEST	192.168.2.4	1.1.1.1	0x9634	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.945843935 CEST	192.168.2.4	1.1.1.1	0x261a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:10.960603952 CEST	192.168.2.4	1.1.1.1	0x4cc0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.974524975 CEST	192.168.2.4	1.1.1.1	0x2d06	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:11.296744108 CEST	192.168.2.4	1.1.1.1	0xf25f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.297029018 CEST	192.168.2.4	1.1.1.1	0xcbcb	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.302598953 CEST	192.168.2.4	1.1.1.1	0xb134	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.316863060 CEST	192.168.2.4	1.1.1.1	0xfa9c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.325826883 CEST	192.168.2.4	1.1.1.1	0x4951	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:11.326790094 CEST	192.168.2.4	1.1.1.1	0xf449	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.837424040 CEST	192.168.2.4	1.1.1.1	0xf38a	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.918972969 CEST	192.168.2.4	1.1.1.1	0x59e0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.927018881 CEST	192.168.2.4	1.1.1.1	0x69f1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.935075998 CEST	192.168.2.4	1.1.1.1	0x6fe8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:14.084472895 CEST	192.168.2.4	1.1.1.1	0xce56	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.123809099 CEST	192.168.2.4	1.1.1.1	0xb6c8	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.124093056 CEST	192.168.2.4	1.1.1.1	0x1cf5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.134576082 CEST	192.168.2.4	1.1.1.1	0xd6ad	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:14.134949923 CEST	192.168.2.4	1.1.1.1	0xe0eb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:14.880357027 CEST	192.168.2.4	1.1.1.1	0x49dc	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.892168045 CEST	192.168.2.4	1.1.1.1	0x4885	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.904165030 CEST	192.168.2.4	1.1.1.1	0x9b7c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.027950048 CEST	192.168.2.4	1.1.1.1	0xa0db	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.027985096 CEST	192.168.2.4	1.1.1.1	0xaa24	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.028255939 CEST	192.168.2.4	1.1.1.1	0x90f5	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036102057 CEST	192.168.2.4	1.1.1.1	0x1ef6	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036809921 CEST	192.168.2.4	1.1.1.1	0x9b16	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.037182093 CEST	192.168.2.4	1.1.1.1	0xfa27	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.049952984 CEST	192.168.2.4	1.1.1.1	0x281b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.061274052 CEST	192.168.2.4	1.1.1.1	0x6333	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.061539888 CEST	192.168.2.4	1.1.1.1	0xc295	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.068249941 CEST	192.168.2.4	1.1.1.1	0xa65f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.070770025 CEST	192.168.2.4	1.1.1.1	0x99f0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078334093 CEST	192.168.2.4	1.1.1.1	0x3d55	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078830957 CEST	192.168.2.4	1.1.1.1	0x18c7	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086963892 CEST	192.168.2.4	1.1.1.1	0x4bbe	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.087090015 CEST	192.168.2.4	1.1.1.1	0x4236	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:21.727355957 CEST	192.168.2.4	1.1.1.1	0x91b2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:22.486287117 CEST	192.168.2.4	1.1.1.1	0x838	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:33.759874105 CEST	192.168.2.4	1.1.1.1	0xa10b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:37.877222061 CEST	192.168.2.4	1.1.1.1	0xb22d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.877489090 CEST	192.168.2.4	1.1.1.1	0xff82	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.891436100 CEST	192.168.2.4	1.1.1.1	0xddea	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.892870903 CEST	192.168.2.4	1.1.1.1	0xc332	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 23:40:37.893606901 CEST	192.168.2.4	1.1.1.1	0x2cf0	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.904028893 CEST	192.168.2.4	1.1.1.1	0x454c	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 26, 2024 23:40:37.905546904 CEST	192.168.2.4	1.1.1.1	0x95a1	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.924721956 CEST	192.168.2.4	1.1.1.1	0x2ece	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:54.500863075 CEST	192.168.2.4	1.1.1.1	0x3848	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:54.509718895 CEST	192.168.2.4	1.1.1.1	0xbfcb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:40:55.167412043 CEST	192.168.2.4	1.1.1.1	0x5322	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:41:07.111565113 CEST	192.168.2.4	1.1.1.1	0xa950	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:41:35.294333935 CEST	192.168.2.4	1.1.1.1	0x4cce	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:41:35.302999020 CEST	192.168.2.4	1.1.1.1	0xeee7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 23:41:36.013355017 CEST	192.168.2.4	1.1.1.1	0xa04f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 23:40:08.669081926 CEST	1.1.1.1	192.168.2.4	0xd687	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:08.721683979 CEST	1.1.1.1	192.168.2.4	0x5527	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.472076893 CEST	1.1.1.1	192.168.2.4	0x7bba	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.483954906 CEST	1.1.1.1	192.168.2.4	0xe498	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.492675066 CEST	1.1.1.1	192.168.2.4	0x339f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:10.607636929 CEST	1.1.1.1	192.168.2.4	0xe6dc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:10.607636929 CEST	1.1.1.1	192.168.2.4	0xe6dc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.616646051 CEST	1.1.1.1	192.168.2.4	0xdfa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.627537966 CEST	1.1.1.1	192.168.2.4	0x11ae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 23:40:10.902093887 CEST	1.1.1.1	192.168.2.4	0xb7f0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.916560888 CEST	1.1.1.1	192.168.2.4	0x8aaf	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.921088934 CEST	1.1.1.1	192.168.2.4	0x1089	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:10.921088934 CEST	1.1.1.1	192.168.2.4	0x1089	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.936506987 CEST	1.1.1.1	192.168.2.4	0x9634	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.950772047 CEST	1.1.1.1	192.168.2.4	0xcc16	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:10.950772047 CEST	1.1.1.1	192.168.2.4	0xcc16	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:10.968820095 CEST	1.1.1.1	192.168.2.4	0x4cc0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.304167032 CEST	1.1.1.1	192.168.2.4	0xf25f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.304611921 CEST	1.1.1.1	192.168.2.4	0xcbcb	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.304611921 CEST	1.1.1.1	192.168.2.4	0xcbcb	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.310704947 CEST	1.1.1.1	192.168.2.4	0xb134	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:11.310704947 CEST	1.1.1.1	192.168.2.4	0xb134	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:11.310704947 CEST	1.1.1.1	192.168.2.4	0xb134	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.325306892 CEST	1.1.1.1	192.168.2.4	0xfa9c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:11.333796024 CEST	1.1.1.1	192.168.2.4	0x4951	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 23:40:11.334276915 CEST	1.1.1.1	192.168.2.4	0xf449	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:11.334276915 CEST	1.1.1.1	192.168.2.4	0xf449	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.846931934 CEST	1.1.1.1	192.168.2.4	0xf38a	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:13.926090956 CEST	1.1.1.1	192.168.2.4	0x59e0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:13.934614897 CEST	1.1.1.1	192.168.2.4	0x69f1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.079636097 CEST	1.1.1.1	192.168.2.4	0xbbce	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:14.079636097 CEST	1.1.1.1	192.168.2.4	0xbbce	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.092008114 CEST	1.1.1.1	192.168.2.4	0xce56	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:14.092008114 CEST	1.1.1.1	192.168.2.4	0xce56	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.117166996 CEST	1.1.1.1	192.168.2.4	0x5728	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.131433010 CEST	1.1.1.1	192.168.2.4	0x1cf5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.131464958 CEST	1.1.1.1	192.168.2.4	0xb6c8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.888366938 CEST	1.1.1.1	192.168.2.4	0x49dc	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:14.888366938 CEST	1.1.1.1	192.168.2.4	0x49dc	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:14.888366938 CEST	1.1.1.1	192.168.2.4	0x49dc	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.899908066 CEST	1.1.1.1	192.168.2.4	0x4885	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:14.978744030 CEST	1.1.1.1	192.168.2.4	0xe1b7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.035412073 CEST	1.1.1.1	192.168.2.4	0xa0db	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036055088 CEST	1.1.1.1	192.168.2.4	0x90f5	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036055088 CEST	1.1.1.1	192.168.2.4	0x90f5	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036091089 CEST	1.1.1.1	192.168.2.4	0xaa24	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:21.036091089 CEST	1.1.1.1	192.168.2.4	0xaa24	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.043426037 CEST	1.1.1.1	192.168.2.4	0x1ef6	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.044759989 CEST	1.1.1.1	192.168.2.4	0x9b16	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.044814110 CEST	1.1.1.1	192.168.2.4	0xfa27	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.059120893 CEST	1.1.1.1	192.168.2.4	0x281b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.069401979 CEST	1.1.1.1	192.168.2.4	0x6333	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.069401979 CEST	1.1.1.1	192.168.2.4	0x6333	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.069401979 CEST	1.1.1.1	192.168.2.4	0x6333	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.069401979 CEST	1.1.1.1	192.168.2.4	0x6333	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.069685936 CEST	1.1.1.1	192.168.2.4	0xc295	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 26, 2024 23:40:21.077825069 CEST	1.1.1.1	192.168.2.4	0x99f0	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078036070 CEST	1.1.1.1	192.168.2.4	0xa65f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078036070 CEST	1.1.1.1	192.168.2.4	0xa65f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078036070 CEST	1.1.1.1	192.168.2.4	0xa65f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078036070 CEST	1.1.1.1	192.168.2.4	0xa65f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.078036070 CEST	1.1.1.1	192.168.2.4	0xa65f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086064100 CEST	1.1.1.1	192.168.2.4	0x3d55	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086554050 CEST	1.1.1.1	192.168.2.4	0x18c7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086554050 CEST	1.1.1.1	192.168.2.4	0x18c7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086554050 CEST	1.1.1.1	192.168.2.4	0x18c7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:21.086554050 CEST	1.1.1.1	192.168.2.4	0x18c7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.884449005 CEST	1.1.1.1	192.168.2.4	0xa8bb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:37.884449005 CEST	1.1.1.1	192.168.2.4	0xa8bb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.885449886 CEST	1.1.1.1	192.168.2.4	0xff82	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.885449886 CEST	1.1.1.1	192.168.2.4	0xff82	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.885449886 CEST	1.1.1.1	192.168.2.4	0xff82	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.885449886 CEST	1.1.1.1	192.168.2.4	0xff82	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.885580063 CEST	1.1.1.1	192.168.2.4	0xb22d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.901402950 CEST	1.1.1.1	192.168.2.4	0xddea	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:37.901402950 CEST	1.1.1.1	192.168.2.4	0xddea	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.903367043 CEST	1.1.1.1	192.168.2.4	0x2cf0	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.903367043 CEST	1.1.1.1	192.168.2.4	0x2cf0	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.903367043 CEST	1.1.1.1	192.168.2.4	0x2cf0	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.903367043 CEST	1.1.1.1	192.168.2.4	0x2cf0	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:37.917244911 CEST	1.1.1.1	192.168.2.4	0x95a1	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:39.178643942 CEST	1.1.1.1	192.168.2.4	0x441d	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:39.178643942 CEST	1.1.1.1	192.168.2.4	0x441d	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:54.508816957 CEST	1.1.1.1	192.168.2.4	0x3848	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:40:55.174860001 CEST	1.1.1.1	192.168.2.4	0x5322	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:40:55.174860001 CEST	1.1.1.1	192.168.2.4	0x5322	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:41:07.106745005 CEST	1.1.1.1	192.168.2.4	0x7eaf	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:41:35.302150965 CEST	1.1.1.1	192.168.2.4	0x4cce	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 23:41:36.021693945 CEST	1.1.1.1	192.168.2.4	0xa04f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 23:41:36.021693945 CEST	1.1.1.1	192.168.2.4	0xa04f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7740	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 23:40:10.652149916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:11.261354923 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28554 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	34.107.221.82	80	7740	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 23:40:11.340847015 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:11.940080881 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32418 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7740	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 23:40:12.044187069 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:12.642996073 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28555 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:13.014837027 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:13.141207933 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28556 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:14.348946095 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:14.474456072 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:14.677639008 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:14.803162098 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:14.887232065 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:15.011888981 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:21.725955963 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:21.878082991 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28564 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:23.566380024 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:23.692436934 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28566 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:33.701813936 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:40:34.402219057 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:34.527502060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28577 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:35.466903925 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:35.592644930 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28578 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:38.537755013 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:38.663142920 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28581 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:39.166477919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:39.291997910 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28582 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:40:49.298640966 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:40:55.167224884 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:40:55.292929888 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28598 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:41:05.304228067 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:07.737108946 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:41:07.863151073 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28610 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:41:17.879508972 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:27.886523962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:36.013216019 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 23:41:36.137919903 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 28639 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 23:41:46.138617992 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:56.157533884 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:42:06.183378935 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	7740	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 23:40:12.849606037 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:13.449492931 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32420 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:13.630095005 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:13.755650997 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32420 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:14.477905035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:14.603590012 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:14.886112928 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:15.011409044 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:15.100672007 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:15.230627060 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32422 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:22.487333059 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:22.612953901 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32429 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:24.474968910 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:24.600860119 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32431 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:34.558001995 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:34.683736086 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32441 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:35.595041037 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:35.720444918 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32442 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:38.680344105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:38.809340000 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32445 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:39.297729969 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:39.423391104 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32446 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:40:49.430155039 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:40:55.295653105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:40:55.422055006 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32462 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:41:05.442461014 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:07.923377991 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:41:08.049254894 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32474 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:41:18.057921886 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:28.071624041 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:36.142772913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 23:41:36.269834995 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 32503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 23:41:46.282761097 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:41:56.295686007 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 23:42:06.304609060 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	17:40:01
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x440000
File size:	919'552 bytes
MD5 hash:	C66A0B6DF999E2408E0F15FAD285B788
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:40:01
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x4b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:40:01
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x4b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x4b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x4b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x4b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:40:04
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:40:05
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:40:05
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae33e5d-6f66-4269-9aad-bb5beef63bd6} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fd896ef10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	17:40:08
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4108 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 4204 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a678e984-104c-431b-8a00-cf9919c7d1e3} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19fe8b54c10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	17:40:13
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96dff99a-b4b2-4052-8a9a-312eb0d9a788} 7740 "\\.\pipe\gecko-crash-server-pipe.7740" 19ff1e6c310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1551
Total number of Limit Nodes:	53

Executed Functions

Function 004442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0044430D

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetCurrentProcess.KERNEL32(?,004DCB64,00000000,?,?), ref: 00444422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00444429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00444454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00444466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00444474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0044447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004444A0

Strings

kernel32.dll, xrefs: 0044444F
GetNativeSystemInfo, xrefs: 00444460
|O, xrefs: 004836F8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction ID: 5d12485ffadc2bbbddb2dbccfe402c205ffdfcbb40f98335773eb5014b5bbb06
Opcode Fuzzy Hash: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction Fuzzy Hash: 76A1176590AAD0CFDB11DB687C843D97FA46B72741B18CCDBD26093729D228450DEB2E

Function 004442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004450AA,?,?,00000000,00000000), ref: 004442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004450AA,?,?,00000000,00000000), ref: 004442C9
LoadResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835BE
SizeofResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835D3
LockResource.KERNEL32(004450AA,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20,?), ref: 004835E6

Strings

SCRIPT, xrefs: 004442BF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction ID: 93847e93ddc6f856a7afd4b3e2fd9f4d346232565c8d811aced674530c585a88
Opcode Fuzzy Hash: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction Fuzzy Hash: C4117CB0601701BFEB218BA5DC88F277BB9EBC5B91F2045AEF40296290DBB1D800C665

Function 00482BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00502224), ref: 00482C10
ShellExecuteW.SHELL32(00000000,?,?,00502224), ref: 00482C17

Strings

runas, xrefs: 00482C0B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction ID: ba0f5df53f78948406967863b67ed676f51a78ffcf95cc7d178816576d78ac10
Opcode Fuzzy Hash: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction Fuzzy Hash: 7A113A311083416AF704FF21D8859BFBBA4AF90B49F44042FF542020A2CFB89949D71E

Function 004AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Process32NextW.KERNEL32(00000000,?), ref: 004AD52F
CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction ID: c5d8c0786fe27042e6e1e3104109ed61e8f91e8bcce322bf982566cdb594eb60
Opcode Fuzzy Hash: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction Fuzzy Hash: 6C31C471508301AFD300EF54C881AAFBBF8EF99348F14092EF582861A2EB759944CB97

Function 004ADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00485222), ref: 004ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 004ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 004ADBEE
FindClose.KERNEL32(00000000), ref: 004ADBFA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction ID: ab069b7c5fb0ae612a213032e04c17cc5d37f6e8b8301f22da4724f41e5ef17a
Opcode Fuzzy Hash: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction Fuzzy Hash: 72F0A030C119215792206B78AC4D8AB376C9E02334B944763F876C25E0EBB85D55C69E

Function 00464CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D09
TerminateProcess.KERNEL32(00000000,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D10
ExitProcess.KERNEL32 ref: 00464D22

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction ID: a5b42991390f8a271986e92c55c8af9d320883932a3247fd4caf56aa5c67da61
Opcode Fuzzy Hash: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction Fuzzy Hash: C9E0B631401149ABCF21AF55DD49A593B69EB82785F10842AFC098B222DB39DD42DA89

Function 0044BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#Q, xrefs: 004907CE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#Q
API String ID: 3964851224-158705473
Opcode ID: bc3f3df0173048a7cbd610b05270f94f2e030a3e036ffacb37143c4b8597ffed
Instruction ID: fe5a39c86181f9cf79d1ae2702ea72aeee18ef6cedea6009e2a1c64598f83df7
Opcode Fuzzy Hash: bc3f3df0173048a7cbd610b05270f94f2e030a3e036ffacb37143c4b8597ffed
Instruction Fuzzy Hash: F9A26E706083019FDB50DF15C480B2BBBE1BF99304F18896EE9998B352D779EC45CB9A

Function 004CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 004CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1D4
_wcslen.LIBCMT ref: 004CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB236
_wcslen.LIBCMT ref: 004CB332

Part of subcall function 004B05A7: GetStdHandle.KERNEL32(000000F6), ref: 004B05C6

_wcslen.LIBCMT ref: 004CB34B
_wcslen.LIBCMT ref: 004CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004CB3B6
GetLastError.KERNEL32(00000000), ref: 004CB407
CloseHandle.KERNEL32(?), ref: 004CB439
CloseHandle.KERNEL32(00000000), ref: 004CB44A
CloseHandle.KERNEL32(00000000), ref: 004CB45C
CloseHandle.KERNEL32(00000000), ref: 004CB46E
CloseHandle.KERNEL32(?), ref: 004CB4E3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1a6c202273803cf54abbb61b13ba9049717526f7adffb6543dcf4265884ec01b
Instruction ID: a71c4b20f001fb8cc1a96b29c4d0441904f2a1757faa604840f5b10b314359c5
Opcode Fuzzy Hash: 1a6c202273803cf54abbb61b13ba9049717526f7adffb6543dcf4265884ec01b
Instruction Fuzzy Hash: 4CF19C356082409FD754EF25C882B2BBBE5EF85318F14855EF8854B2A2CB39DC05CB9A

Function 0044D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0044D807
timeGetTime.WINMM ref: 0044DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB28
TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ac6bf6562d7fc178118e05c8f6831949d767f40d0f35e5814ee245e67d51f46a
Instruction ID: 6460be988781d31e70a8c26148c01bcd580e65ccf735d09a405225ea97a92ac0
Opcode Fuzzy Hash: ac6bf6562d7fc178118e05c8f6831949d767f40d0f35e5814ee245e67d51f46a
Instruction Fuzzy Hash: 3B42D470A04642EFEB24CF25C884BAABBE1FF45304F14856FE45587391D778E849CB8A

Function 00442CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442D07
RegisterClassExW.USER32(00000030), ref: 00442D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
LoadIconW.USER32(000000A9), ref: 00442D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

0, xrefs: 00442CE9
TaskbarCreated, xrefs: 00442D37
+, xrefs: 00442CF0
AutoIt v3 GUI, xrefs: 00442D23

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction ID: 3688adc7738a65c30cb61ed8d04c8e52c5ce0fde6eb1b0a8c4716bd4db3bc1cb
Opcode Fuzzy Hash: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction Fuzzy Hash: F421C8B590221AAFDB00DFA4E889BDDBBB4FB08701F10816BF621A6290D7B54544DF99

Function 0048065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048039A: CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

GetLastError.KERNEL32 ref: 0048076F
__dosmaperr.LIBCMT ref: 00480776
GetFileType.KERNELBASE(00000000), ref: 00480782
GetLastError.KERNEL32 ref: 0048078C
__dosmaperr.LIBCMT ref: 00480795
CloseHandle.KERNEL32(00000000), ref: 004807B5
CloseHandle.KERNEL32(?), ref: 004808FF
GetLastError.KERNEL32 ref: 00480931
__dosmaperr.LIBCMT ref: 00480938

Strings

H, xrefs: 004808BD

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction ID: b6584fb4f980b995ec135db1300442721fd88bd319fa200a0e3e384be7f49296
Opcode Fuzzy Hash: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction Fuzzy Hash: 7CA13732A101048FDF19AF68D852BAE7BA0AB06324F14415FF8159B3D1D7399C5BCB99

Function 0044344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00443357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00443379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0044356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0048318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004831CE
RegCloseKey.ADVAPI32(?), ref: 00483210
_wcslen.LIBCMT ref: 00483277
_wcslen.LIBCMT ref: 00483286

Strings

Include, xrefs: 00483184, 004831C5
Software\AutoIt v3\AutoIt, xrefs: 00443560
\, xrefs: 0048328C
\Include\, xrefs: 00443527

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: eaf497fe88bef4a02b87429abbba1e58cf4fd777a159e27275bfd2e63bd95d03
Instruction ID: 7981a67b3e4dd62e03b4ba9a4a056cfaec4e7c20a8f67dc323da5edcb5ab6a5b
Opcode Fuzzy Hash: eaf497fe88bef4a02b87429abbba1e58cf4fd777a159e27275bfd2e63bd95d03
Instruction Fuzzy Hash: 6371AD714043019ED704EF2AEC8299BBBE8FF94744F404C2FF45583261EB389A58CB5A

Function 00442B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00442B9D
LoadIconW.USER32(00000063), ref: 00442BB3
LoadIconW.USER32(000000A4), ref: 00442BC5
LoadIconW.USER32(000000A2), ref: 00442BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00442BEF
RegisterClassExW.USER32(?), ref: 00442C40

Part of subcall function 00442CD4: GetSysColorBrush.USER32(0000000F), ref: 00442D07
Part of subcall function 00442CD4: RegisterClassExW.USER32(00000030), ref: 00442D31
Part of subcall function 00442CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
Part of subcall function 00442CD4: InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
Part of subcall function 00442CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
Part of subcall function 00442CD4: LoadIconW.USER32(000000A9), ref: 00442D85
Part of subcall function 00442CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

0, xrefs: 00442C0F
#, xrefs: 00442C16
AutoIt v3, xrefs: 00442C2F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction ID: 237fa8df1809e38391637b9791aec449ff132ea14e4639a5549f9fdaf604947c
Opcode Fuzzy Hash: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction Fuzzy Hash: 5B217F70E02315ABDB109F95EC94AD97FB4FB18B40F0084ABF610A22A4D3B10544EF8C

Function 00443170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0044316A,?,?), ref: 004431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0044316A,?,?), ref: 00443204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00443227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0044316A,?,?), ref: 00443232
CreatePopupMenu.USER32 ref: 00443246
PostQuitMessage.USER32(00000000), ref: 00443267

Strings

TaskbarCreated, xrefs: 0044322D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction ID: 88a98ec6f47ea700d45017a46820788515ed862844a84f1f7b454c99a80dbf36
Opcode Fuzzy Hash: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction Fuzzy Hash: 7D415930200205A7FF142F789D49BBE3A55F711B06F04416BFA12853A5CBEC9E41D76E

Function 00441410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00441459
CoUninitialize.COMBASE ref: 004414F8
UnregisterHotKey.USER32(?), ref: 004416DD
DestroyWindow.USER32(?), ref: 004824B9
FreeLibrary.KERNEL32(?), ref: 0048251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0048254B

Strings

close all, xrefs: 00441454

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 982329fd749efbc5f0342029c3b8d295e23b2f06751770d478d71c3ff52030aa
Instruction ID: c8d898f5a9d5b771e562e646e678dfc106df17fb9795d8bd62a0d24e1d170d83
Opcode Fuzzy Hash: 982329fd749efbc5f0342029c3b8d295e23b2f06751770d478d71c3ff52030aa
Instruction Fuzzy Hash: CED1CC307012129FDB19EF15C599A2AF7A0BF05704F1446AFE80A6B362DB38EC56CF59

Function 00442C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00442C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00442CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CCF

Strings

AutoIt v3, xrefs: 00442C89, 00442C8E, 00442C8F
edit, xrefs: 00442CAC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction ID: e0e4be680c0f3d73271899106ebe627805ae4d432946068f4c247df8486a4ba5
Opcode Fuzzy Hash: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction Fuzzy Hash: 74F05E755402917AEB300713AC58EB77FBDD7D6F50F0085AFFA10A32A4C6750844EAB8

Function 00443B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B83

Strings

Control Panel\Mouse, xrefs: 00443B3E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction ID: 678ba80e24ca60733b9712cf00d8095b733fc32482e1b25b46adf43a17b556bd
Opcode Fuzzy Hash: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction Fuzzy Hash: BB115AB1511208FFEB218FA4DC84AAFB7B8EF00B45B10846AA801D7211D231AE409768

Function 00443923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004833A2

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Strings

Line: , xrefs: 004833EB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction ID: b95435872d310a28332a661fcebcd7064a787f6eb1dee93a5503e43b1dc3f063
Opcode Fuzzy Hash: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction Fuzzy Hash: FA31E471408300AAE721EF20DC45BDFB7D8AF40B19F10496FF59992191EB789A49C7CB

Function 00442DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00482C8C

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 00442DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Strings

`eP, xrefs: 00482C85
X, xrefs: 00482C5A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eP
API String ID: 779396738-3660009032
Opcode ID: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction ID: a59732b2ccb16d04998dcc926d5f05f74336f62bd392b5f9699f22d6849eae3c
Opcode Fuzzy Hash: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction Fuzzy Hash: DD21A470A002589ADB01AF95C8457EE7BF8AF48308F00405AE505A7281DBF85649CB69

Function 0045FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00460668

Part of subcall function 004632A4: RaiseException.KERNEL32(?,?,?,0046068A,?,00511444,?,?,?,?,?,?,0046068A,00441129,00508738,00441129), ref: 00463304

__CxxThrowException@8.LIBVCRUNTIME ref: 00460685

Strings

Unknown exception, xrefs: 00460692

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction ID: 9cb27959b7f77c09cd8d132bb688fbda648552e3a84517e7ee9e3535ec688763
Opcode Fuzzy Hash: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction Fuzzy Hash: A4F0FF2490020D73CB00BAA6D846C9F7B6C6E00308B60403BB915866D2FF39DA2E858B

Function 004410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00441BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Part of subcall function 00441B4A: RegisterWindowMessageW.USER32(00000004,?,004412C4), ref: 00441BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0044136A
OleInitialize.OLE32 ref: 00441388
CloseHandle.KERNEL32(00000000,00000000), ref: 004824AB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction ID: 22e58ddbca1de210421c7eccae6c58f18a5c25a069507955b39722413b5965e7
Opcode Fuzzy Hash: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction Fuzzy Hash: 5F71E1B4911A018ED784EF7AA8956D53AE2FBA8344306C1EFD60AC7371E7744449EF4C

Function 004AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00443923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004AC259
KillTimer.USER32(?,00000001,?,?), ref: 004AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004AC270

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction ID: 67f7fad469b43c80694a5d9e333056d7c87bb2d524338f0e10f029916512b86b
Opcode Fuzzy Hash: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction Fuzzy Hash: 7D31E571900744AFEB628F648885BE7BBEC9B27308F0004DFD2DA97241C3785A85CB5A

Function 004786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004785CC,?,00508CC8,0000000C), ref: 00478704
GetLastError.KERNEL32(?,004785CC,?,00508CC8,0000000C), ref: 0047870E
__dosmaperr.LIBCMT ref: 00478739

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction ID: a176f63e4f6848a08e98e94dbc5e7d9ef1bdaad79741544376c3281a58fb960a
Opcode Fuzzy Hash: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction Fuzzy Hash: 37014832A4522036D6246334684E7EF275A4B91778F29C11FEC0C8F2E2DEEC8C85819C

Function 0044DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00491CC9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction ID: cfd0ed14e6f131edfb9f2a6ea8d284e46b5ddb0c21d854380380a4cb6d119c40
Opcode Fuzzy Hash: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction Fuzzy Hash: EAF054306053429BFB30C7608C89FEB77A8EB44311F10452BE61A831D0DB34A449CB1D

Function 00451310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004517F6

Strings

CALL, xrefs: 004517C6

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: aaf23d27f344e54f6360f222bbfbdb478787f79698a02015618be5b66db393e2
Instruction ID: dfc3be6f01bc5547f9f2665d21aa4e351b8fd0173a5582bba5d250e6f87cc3d3
Opcode Fuzzy Hash: aaf23d27f344e54f6360f222bbfbdb478787f79698a02015618be5b66db393e2
Instruction Fuzzy Hash: 21229E70608301AFC714DF15C480B2ABBF1BF85319F15892EF8968B362D779E949CB5A

Function 00443837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction ID: 6a5272416407c61594ce4e1b61ee7bf71155e163c2d4ec114ea42c156a1881be
Opcode Fuzzy Hash: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction Fuzzy Hash: 6231B4B05047019FE720EF25D885797B7E4FB59709F00096FF69983340E775AA44CB5A

Function 0045F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045F661

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

Sleep.KERNEL32(00000000), ref: 0049F2DE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction ID: 046b90dd77b3c8a1991ab6647de9b5a97f0014bc5edaa945b6f5fcd89b057e31
Opcode Fuzzy Hash: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction Fuzzy Hash: E8F08231240205AFD310EF65D545B5AB7E4FF45765F00003BE85DC72A1DB70A804CF99

Function 00444ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00444E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
Part of subcall function 00444E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
Part of subcall function 00444E90: FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EFD

Part of subcall function 00444E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
Part of subcall function 00444E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
Part of subcall function 00444E59: FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction ID: 1ac20374369c95a2c179ff2503c517e0b98821f2c5e98f46d5b2f5142ff55c90
Opcode Fuzzy Hash: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction Fuzzy Hash: D011E732600205ABEF14BF62DC02FAD77A5AF80B15F20842FF542A61C1EE78DA099758

Function 00478402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00478440

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction ID: ca23906fe42ddb8fd6e72907e6ec3752bf3922d84abfb95cc8b53a5d9b00cc0f
Opcode Fuzzy Hash: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction Fuzzy Hash: 2611487190410AAFCB05DF58E9449DF7BF4EF48314F10805AF808AB312EA70DA11CBA9

Function 00475000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00474C7D: RtlAllocateHeap.NTDLL(00000008,00441129,00000000,?,00472E29,00000001,00000364,?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?), ref: 00474CBE

_free.LIBCMT ref: 0047506C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 834591ad323bd6f39fbcbdc501f5e796600f84bc99fd8f73d55215d2fdea21bf
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B0012BB22047445BE3218F65984199AFBECFB85370F25451EE19897280E6746805C678

Function 0046E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c89fc231e16683e5bccdf3b5de19f8a38a7c69877adb2de49b58396d05492a16
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 25F0F936A11A1496C6313A77DD05B9733D89F62338F10471FF424922D2EB7C980685AF

Function 00474C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00441129,00000000,?,00472E29,00000001,00000364,?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?), ref: 00474CBE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca1096a605803c321d799005684e5d56e5b9496a2ce39178dc193aead9e1248d
Instruction ID: 04b3ab932b2dacfa5a985f9c022db7ae9a4e4c30c7a1d40b9ce389c2775b82e4
Opcode Fuzzy Hash: ca1096a605803c321d799005684e5d56e5b9496a2ce39178dc193aead9e1248d
Instruction Fuzzy Hash: 08F0BB316021246EDB225F629C05BFB3748AFC1760B1BC517B91D972C4DB39DC05959D

Function 00473820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 58b59ee86e6b7e5d47af003e5644711885c8141caa7bcc430cf04687c6da66ff
Instruction ID: de3d5d51bfb8c8d3e5d751b347f1259388313f6072ab6522c603d86a8c38e356
Opcode Fuzzy Hash: 58b59ee86e6b7e5d47af003e5644711885c8141caa7bcc430cf04687c6da66ff
Instruction Fuzzy Hash: 9BE0A02110122596DB213E679C00BDB37C8AB827B2B068127BC18A26C1DB399D01A5EF

Function 00444F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444F6D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction ID: 60956efa9e85b2767f189e24d89fc8693c78886c379a32c813f66f4a295abd23
Opcode Fuzzy Hash: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction Fuzzy Hash: D4F03071105752CFEB349F65D490A16B7E4AF54319310897FE1EA82621C7359848DF19

Function 004D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004D2A66

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction ID: 9ca4c5b0746be3e6257d793f9a3a237f37086a239c0a82ba1d45e034b6a28d91
Opcode Fuzzy Hash: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction Fuzzy Hash: 8FE04F76350116AAC714EA31DC948FEB35CEBB5399710453BFC16C2310EBB8D99686A8

Function 004430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction ID: 8eedf0b421fe1b2724b01a266ad8ffa95d93d7065a706e475f2ba061da5b2cf0
Opcode Fuzzy Hash: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction Fuzzy Hash: 21F0A7709003149FE7529F24DC457D67BBCA70170CF0000EAA64896285DB744788CF45

Function 00442DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction ID: 84f0dda81e19cd48690b8a30029a7f8b90fcf59e321822fefcf665de6199973f
Opcode Fuzzy Hash: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction Fuzzy Hash: 1FE0CD72A001245BCB10A2599C05FDA77DDDFC8794F0500B7FD09D7258D964AD80C659

Function 00442B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00443837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 004430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction ID: 754d3e65709aec7bebf1bba0160d51c9852577c875ab93fc1d2c46f40df4ba7d
Opcode Fuzzy Hash: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction Fuzzy Hash: 83E0262170024403EA04BF3698524AEB7899BD1B5AF40153FF14243163CEAC4989821D

Function 0048039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction ID: 3b735f5a1c87884d852f9dfe2427ed504f707095d9e9503effc7daeaf1261fe2
Opcode Fuzzy Hash: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction Fuzzy Hash: 97D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821EB94

Function 00441CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00441CBC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction ID: cb07b859eaa7480e199b012bf077c1defa4faea4d6a3cf5c27192feed63508c7
Opcode Fuzzy Hash: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction Fuzzy Hash: B9C09236280305AFF6148B80BC9AF907B65E368B01F04C502F709A95E3C3A22824FA58

Non-executed Functions

Function 004D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D96C9
SendMessageW.USER32 ref: 004D96F2
GetKeyState.USER32(00000011), ref: 004D978B
GetKeyState.USER32(00000009), ref: 004D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D97AE
GetKeyState.USER32(00000010), ref: 004D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D97E9
SendMessageW.USER32 ref: 004D9810
SendMessageW.USER32(?,00001030,?,004D7E95), ref: 004D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004D9941
SetCapture.USER32(?), ref: 004D994A
ClientToScreen.USER32(?,?), ref: 004D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D99D6
ReleaseCapture.USER32 ref: 004D99E1
GetCursorPos.USER32(?), ref: 004D9A19
ScreenToClient.USER32(?,?), ref: 004D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9A80
SendMessageW.USER32 ref: 004D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9AEB
SendMessageW.USER32 ref: 004D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004D9B4A
GetCursorPos.USER32(?), ref: 004D9B68
ScreenToClient.USER32(?,?), ref: 004D9B75
GetParent.USER32(?), ref: 004D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9BFA
SendMessageW.USER32 ref: 004D9C2B
ClientToScreen.USER32(?,?), ref: 004D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9CDE
SendMessageW.USER32 ref: 004D9D01
ClientToScreen.USER32(?,?), ref: 004D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004D9D82

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetWindowLongW.USER32(?,000000F0), ref: 004D9E05

Strings

p#Q, xrefs: 004D9990
@GUI_DRAGID, xrefs: 004D997D
F, xrefs: 004D9D07

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#Q
API String ID: 3429851547-4150650095
Opcode ID: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction ID: 64daf8ab0eedf3fe3ba9a20979cc46aad404fb0de3c89662afcc3d7d5f808a3f
Opcode Fuzzy Hash: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction Fuzzy Hash: 1B429830204201AFDB24CF24C8A4AAABBE5FF49314F144A5BF699D73A1D735EC54CB4A

Function 004D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A7E
IsMenu.USER32(?), ref: 004D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4B20
GetWindowLongW.USER32(?,000000F0), ref: 004D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004D4C82
wsprintfW.USER32 ref: 004D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4D5A

Strings

%d/%02d/%02d, xrefs: 004D4CA8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 881768f26361c96793a3b2799b97b852930964fdc0c823db9eef1aaede839b5e
Instruction ID: 052eb20d477470106696892d35da51bc4539191c3dd0a870e5859e0e746cc518
Opcode Fuzzy Hash: 881768f26361c96793a3b2799b97b852930964fdc0c823db9eef1aaede839b5e
Instruction Fuzzy Hash: 7412EE71600215ABEB248F29CC59FAF7BE8EF85710F10412BF915EA3E1DB789941CB58

Function 0045F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0045F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049F474
IsIconic.USER32(00000000), ref: 0049F47D
ShowWindow.USER32(00000000,00000009), ref: 0049F48A
SetForegroundWindow.USER32(00000000), ref: 0049F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4AA
GetCurrentThreadId.KERNEL32 ref: 0049F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0049F4DE
SetForegroundWindow.USER32(00000000), ref: 0049F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F4F6
keybd_event.USER32(00000012,00000000), ref: 0049F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F50B
keybd_event.USER32(00000012,00000000), ref: 0049F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F519
keybd_event.USER32(00000012,00000000), ref: 0049F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F528
keybd_event.USER32(00000012,00000000), ref: 0049F52D
SetForegroundWindow.USER32(00000000), ref: 0049F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0049F557

Strings

Shell_TrayWnd, xrefs: 0049F46F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction ID: f88722f835e954db8571fdb4e4787251df1f13bcfd49dbcdf8bb5af67dd6f2c6
Opcode Fuzzy Hash: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction Fuzzy Hash: D9315271A41229BBEF206BB55C89FBF7F6CEB44B50F110077F600E61D1C6B45900EA69

Function 004A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004A12A8
CloseHandle.KERNEL32(?), ref: 004A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004A12D1
GetProcessWindowStation.USER32 ref: 004A12EA
SetProcessWindowStation.USER32(00000000), ref: 004A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004A1310

Part of subcall function 004A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
Part of subcall function 004A10BF: CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Strings

, xrefs: 004A125A
default, xrefs: 004A130B
ZP, xrefs: 004A1392
winsta0, xrefs: 004A12CC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZP
API String ID: 22674027-2560706152
Opcode ID: 167497c6799ea91eb7a380aad38ea6e4e99a3689a12cf67fe997fd2334226ce3
Instruction ID: 4ef6bd66daae39113fe0447dab13b4eeb5c047484ae28d41d9fa5bf4e65c3333
Opcode Fuzzy Hash: 167497c6799ea91eb7a380aad38ea6e4e99a3689a12cf67fe997fd2334226ce3
Instruction Fuzzy Hash: 41818F71900209AFDF119FA8DC89FEF7BB9EF19704F14412BF911A62A0D7798944CB29

Function 004A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0C00
GetLengthSid.ADVAPI32(?), ref: 004A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0C6D
GetLengthSid.ADVAPI32(?), ref: 004A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0C8C
HeapAlloc.KERNEL32(00000000), ref: 004A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0CB4
CopySid.ADVAPI32(00000000), ref: 004A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D45
HeapFree.KERNEL32(00000000), ref: 004A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D55
HeapFree.KERNEL32(00000000), ref: 004A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D65
HeapFree.KERNEL32(00000000), ref: 004A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0D78
HeapFree.KERNEL32(00000000), ref: 004A0D7F

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction ID: 50ff4d7a3227e6681004e9d3dde28ae4e2668233599b94589bb9fcbdea25bb78
Opcode Fuzzy Hash: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction Fuzzy Hash: 68717C7290121AABDF10DFE4DC84BEFBBB8BF15310F04452AE914A7291D779A905CBA4

Function 004BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004DCC08), ref: 004BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004BEB37
GetClipboardData.USER32(0000000D), ref: 004BEB43
CloseClipboard.USER32 ref: 004BEB4F
GlobalLock.KERNEL32(00000000), ref: 004BEB87
CloseClipboard.USER32 ref: 004BEB91
GlobalUnlock.KERNEL32(00000000), ref: 004BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004BEBC9
GetClipboardData.USER32(00000001), ref: 004BEBD1
GlobalLock.KERNEL32(00000000), ref: 004BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004BEC38
GetClipboardData.USER32(0000000F), ref: 004BEC44
GlobalLock.KERNEL32(00000000), ref: 004BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BECD2
GlobalUnlock.KERNEL32(00000000), ref: 004BECF3
CountClipboardFormats.USER32 ref: 004BED14
CloseClipboard.USER32 ref: 004BED59

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction ID: cb9edb0f9d8dfdc24c5f90adcaf93bc3293a8e5a8e16f1bb39003e092e0c1037
Opcode Fuzzy Hash: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction Fuzzy Hash: 2161D5352042029FD300EF26D884FAA77E8EF84714F14456FF456972A2DB79ED05CB6A

Function 004B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B69BE
FindClose.KERNEL32(00000000), ref: 004B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A75

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6ADF

Strings

%4d, xrefs: 004B6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 004B6B32
%02d, xrefs: 004B6C00, 004B6C0A, 004B6C5A, 004B6CAA, 004B6CFA, 004B6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 004B6B6A
%03d, xrefs: 004B6DA2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction ID: 08d9f92056e9e0ff60ebf324fe8bfea3ae7a30b2a900b7b186a840d04246ee1f
Opcode Fuzzy Hash: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction Fuzzy Hash: 32D15471508300AFD710EBA5C881EAFB7ECAF89708F44491EF585D7191EB78DA48CB66

Function 004B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004B9663
GetFileAttributesW.KERNEL32(?), ref: 004B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004B96D3
FindClose.KERNEL32(00000000), ref: 004B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004B974A
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B9772
FindClose.KERNEL32(00000000), ref: 004B977F
FindClose.KERNEL32(00000000), ref: 004B978F

Strings

*.*, xrefs: 004B96F5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction ID: 2d6e3261b5430d0b1c313adfd123b2d9035d52d21d7e8120e843c4a1a53ee86f
Opcode Fuzzy Hash: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction Fuzzy Hash: 3031D67254121AAADF10AFB5DC48ADF77ECAF09320F1041A7FA05E2190EB38DD40CE69

Function 004B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004B9819
FindClose.KERNEL32(00000000), ref: 004B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004B9890
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B98B8
FindClose.KERNEL32(00000000), ref: 004B98C5
FindClose.KERNEL32(00000000), ref: 004B98D5

Part of subcall function 004ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004ADB00

Strings

*.*, xrefs: 004B983B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction ID: c46a0bd9bec82e8933d01c2e9f88e7df786e2040ccb854cf229b1396e62fcd36
Opcode Fuzzy Hash: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction Fuzzy Hash: 6531F63150121A6ADF10EFB4DC88ADF77BCAF06324F1441ABEA14A22D0DB39DD44CA79

Function 004CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 004CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 004CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 004CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CC382
RegCloseKey.ADVAPI32(00000000), ref: 004CC38F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 44e3197ab07c492874a9ddbc4fbc780426b2c94cfca3905bb51c89f274300c2a
Instruction ID: 9b4b10aa3403bdef2ce5843f4c6320f15fc1f54032cd940aee0a37be66c19f10
Opcode Fuzzy Hash: 44e3197ab07c492874a9ddbc4fbc780426b2c94cfca3905bb51c89f274300c2a
Instruction Fuzzy Hash: 69024B74604200AFD754CF24C8D5E2ABBE5EF49308F18849EE84ACB2A2D735EC46CB56

Function 004B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8395

Strings

*.*, xrefs: 004B839B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction ID: d5f81797e4bb26360013deb8661023b07000ddcabf7647305d98c7a434bf5c53
Opcode Fuzzy Hash: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction Fuzzy Hash: 456159715042059FDB10EF65C88099FB3E8FF89318F04492EF99987251EB39E905CBAA

Function 004AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004AD1DD
MoveFileW.KERNEL32(?,?), ref: 004AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD237

Part of subcall function 004AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004AD21C,?,?), ref: 004AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004AD253
FindClose.KERNEL32(00000000), ref: 004AD264

Strings

\*.*, xrefs: 004AD0CD, 004AD0D6, 004AD0EB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction ID: cff0d65d32c91f37052c70ad8ffb8b1b9073b07fd83be28c0a996b957a53fdec
Opcode Fuzzy Hash: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction Fuzzy Hash: 63616E31C0110D9ADF05EFE1D9929EEB7B5AF26304F2441ABE40277192EB385F09DB69

Function 004BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004BED91
EmptyClipboard.USER32 ref: 004BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004BEDAC
CloseClipboard.USER32 ref: 004BEEA3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction ID: 9a8808c59838e27519d9a6a13f6fe0483ef079ae26af87374b834764228263e2
Opcode Fuzzy Hash: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction Fuzzy Hash: C441B335605612DFE710CF16D488B9ABBE5EF84318F14C49EE4158B762C779EC42CB98

Function 004AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

ExitWindowsEx.USER32(?,00000000), ref: 004AE932

Strings

@, xrefs: 004AE925
SeShutdownPrivilege, xrefs: 004AE902
, xrefs: 004AE95C
, xrefs: 004AE920

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction ID: ca0aa5977972a2945417739287e0a2b33b7b509814f77121c523c5e66c9cfea7
Opcode Fuzzy Hash: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction Fuzzy Hash: BA0149B2610311ABEB5422B69CC6FFF735CAB36744F140827FC23E21E2D5A85C4081AC

Function 004C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004C1276
WSAGetLastError.WSOCK32 ref: 004C1283
bind.WSOCK32(00000000,?,00000010), ref: 004C12BA
WSAGetLastError.WSOCK32 ref: 004C12C5
closesocket.WSOCK32(00000000), ref: 004C12F4
listen.WSOCK32(00000000,00000005), ref: 004C1303
WSAGetLastError.WSOCK32 ref: 004C130D
closesocket.WSOCK32(00000000), ref: 004C133C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction ID: f49ccbe191fca1e620a128b104f316d41cb35b39cb7e37abce409d4f2c0fda02
Opcode Fuzzy Hash: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction Fuzzy Hash: F9418F396001419FD710EF24C484F2ABBE5AF46318F18819EE8569F3A3C775EC82CBA5

Function 004AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD481
FindClose.KERNEL32(00000000), ref: 004AD498
FindClose.KERNEL32(00000000), ref: 004AD4A1

Strings

\*.*, xrefs: 004AD3F2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction ID: 145dcb8f270e433ba245c478ff2e4763219597943d0ec8071836fb5b320bd47f
Opcode Fuzzy Hash: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction Fuzzy Hash: A23170714093459FD300EF65C8958AF77E8BEA6308F444A2FF4D252191EB38AA09D76B

Function 0047E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0047E645

Strings

1#SNAN, xrefs: 0047F844
1#QNAN, xrefs: 0047F84B
1#IND, xrefs: 0047F83D
1#INF, xrefs: 0047F852

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction ID: 8dcbe4e9207542078225243c03963ee1ae5ae4f73a0883c59df728faff92c267
Opcode Fuzzy Hash: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction Fuzzy Hash: AFC26B71E086288FDB25CE29DD407EAB7B5EB48304F1482EBD44DE7241E778AE858F45

Function 004B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B64DC
CoInitialize.OLE32(00000000), ref: 004B6639
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B6650
CoUninitialize.OLE32 ref: 004B68D4

Strings

.lnk, xrefs: 004B64BA, 004B6524, 004B65E0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction ID: 6c9e46e7acd14678c83d22e1199419d016a42d448032a77a247b83ba3f525706
Opcode Fuzzy Hash: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction Fuzzy Hash: 2ED15B71508201AFD314EF25C881DABB7E8FF94708F04496EF5958B291DB39ED09CBA6

Function 004C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004C22E8

Part of subcall function 004BE4EC: GetWindowRect.USER32(?,?), ref: 004BE504

GetDesktopWindow.USER32 ref: 004C2312
GetWindowRect.USER32(00000000), ref: 004C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004C2355
GetCursorPos.USER32(?), ref: 004C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C23DF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction ID: 6f5dc6e87b7da2aba1958237f372b1b0007947b8f0c2d529896f0d2f3889a826
Opcode Fuzzy Hash: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction Fuzzy Hash: FB31E172105356ABC720DF25D944F5BB7A9FF84714F00091EF88497191DBB8EA08CB9A

Function 004B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004B9C8B

Part of subcall function 004B3874: GetInputState.USER32 ref: 004B38CB
Part of subcall function 004B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004B9C75

Strings

*.*, xrefs: 004B9B5D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction ID: 4b7053a2198dd30107d63513f9a4b389f9583375d4870dda12204cc50f3378a1
Opcode Fuzzy Hash: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction Fuzzy Hash: E841927194420A9FDF14DFA5C889AEE7BB4FF05304F20415BE905A3291EB349E44CF69

Function 00448060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004483FA
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00485DB2
VUUU, xrefs: 004483E8
VUUU, xrefs: 0044843C
VUUU, xrefs: 00485DF0
ERCP, xrefs: 0044813C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction ID: f10700c030a0d8f6ca489324b740d40c7d5060f82b49e24b6534beaa3f25f472
Opcode Fuzzy Hash: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction Fuzzy Hash: E7A29E70E0021ACBEF24DF58C9407AEB7B1BB54314F2585ABD815A7385EB389D81CF99

Function 0045997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00459A4E
GetSysColor.USER32(0000000F), ref: 00459B23
SetBkColor.GDI32(?,00000000), ref: 00459B36

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction ID: a769b2526b0f3423d8617dcbd3c25ae1f206f6a67a00637a5ce6b4860b2511a2
Opcode Fuzzy Hash: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction Fuzzy Hash: 21A10CB0118584FEEB249B3D8C58D7B2A9DEB42315B14415FF902C6793CA2D9D0AD37E

Function 004C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004C185D
WSAGetLastError.WSOCK32 ref: 004C1884
bind.WSOCK32(00000000,?,00000010), ref: 004C18DB
WSAGetLastError.WSOCK32 ref: 004C18E6
closesocket.WSOCK32(00000000), ref: 004C1915

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction ID: 79161794ab389f961765496263c9464a40fbc2d36891ce4822dcb9f83d2803a7
Opcode Fuzzy Hash: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction Fuzzy Hash: 5151D475A00210AFEB10AF25C886F2AB7E5AB45718F08849EF9055F3D3C779AD41CBA5

Function 004D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004D1CC0
IsWindowEnabled.USER32 ref: 004D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004D1CDB
IsIconic.USER32 ref: 004D1CE9
IsZoomed.USER32 ref: 004D1CF7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction ID: 86388c739614773bb25f5934ce8a216e1e35d63ebd2a414dd1bd4011350cc9d1
Opcode Fuzzy Hash: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction Fuzzy Hash: D821E1317512016FE7208F1AC8A4B2B7BA5EF95714B18806FEC468B361C779EC42CB98

Function 004A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004A82AA

Strings

|, xrefs: 004A82DA
tbP, xrefs: 004A84F4
(, xrefs: 004A82F0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbP$|
API String ID: 1659193697-2761516067
Opcode ID: 0fd0be99b777121b6e949ddddba5ba5fa94b4dc347cf717fe85d812e6be26c3c
Instruction ID: 69d7f5566fb06c8a5ab7c1fbaf37613f4551fb94c5e7aaeca647bcc025975ec4
Opcode Fuzzy Hash: 0fd0be99b777121b6e949ddddba5ba5fa94b4dc347cf717fe85d812e6be26c3c
Instruction Fuzzy Hash: D0323575A007059FCB28CF19C481AAAB7F0FF58710B15C46EE89ADB7A1EB74E941CB44

Function 004AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004AAAAC
SetKeyboardState.USER32(00000080), ref: 004AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004AAB88

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction ID: 8e7d1b8e525c319f95547b8536ad6cd9e77904bf4ed525cd6533020fca1ada7a
Opcode Fuzzy Hash: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction Fuzzy Hash: 55311A30A40208AEFF35CA65CC05BFB77A6AB66310F04421BF281562D1D37DA9A1C77B

Function 0047BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0047BB7F

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

GetTimeZoneInformation.KERNEL32 ref: 0047BB91
WideCharToMultiByte.KERNEL32(00000000,?,0051121C,000000FF,?,0000003F,?,?), ref: 0047BC09
WideCharToMultiByte.KERNEL32(00000000,?,00511270,000000FF,?,0000003F,?,?,?,0051121C,000000FF,?,0000003F,?,?), ref: 0047BC36

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c86e1a35912dd887cf7f1c4abdb525f0b357fd02d7ba940d64e464e46ba8c51c
Instruction ID: fcf89ae9ca2677061bd1f03beba44098306611d72d520a7a6654ba82ee1b819d
Opcode Fuzzy Hash: c86e1a35912dd887cf7f1c4abdb525f0b357fd02d7ba940d64e464e46ba8c51c
Instruction Fuzzy Hash: 3C31B070904205DFCB11DF6A8C80AAEBBB8FF55310714C2AFE528D72A1D7349945DB98

Function 004BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004BCE89
GetLastError.KERNEL32(?,00000000), ref: 004BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004BCEFE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction ID: f70a88988bee3ec56d67319b1ae0f0a43165593dbd1c17a93eda1c1a78fb3b62
Opcode Fuzzy Hash: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction Fuzzy Hash: D0219071900306DBDB20DFA5C9C4BA777F8EB50358F10446FE64692291E778EE05CBA8

Function 004B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004B5D17
FindClose.KERNEL32(?), ref: 004B5D5F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction ID: ccc54f9bf8c37d61d82734e949b1d6b8d3daecfe0a3c20b09bce5c7a415deb5d
Opcode Fuzzy Hash: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction Fuzzy Hash: C85199746046019FC714CF28C494A9AF7E8FF49318F14865EE95A8B3A1CB38E805CFA5

Function 00472622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0047271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00472724
UnhandledExceptionFilter.KERNEL32(?), ref: 00472731

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction ID: 28f071ad4f1babb1f099a063dc92ea61c6072b39347d3cfc56bbc9250eb4787e
Opcode Fuzzy Hash: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction Fuzzy Hash: 1631D774911218ABCB21DF65DD887DDB7B8AF18310F5042EAE80CA7260E7749F818F49

Function 004B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004B5238
SetErrorMode.KERNEL32(00000000), ref: 004B52A1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction ID: 940baa1ac59d749553be5c5b50a2ea5c27eca56093f50f6013228dc2fd246cd3
Opcode Fuzzy Hash: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction Fuzzy Hash: AF314D75A005189FDB00DF55D8C4EAEBBB4FF49318F0880AAE8059B392DB35E856CB64

Function 004A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460668
Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
GetLastError.KERNEL32 ref: 004A174A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c735bd86b989f57711daf011a1e525990a8841db29d9524a596a21d26648a5ad
Instruction ID: 18756058707eb33a4139721e211ff357e0f21e1e2187966009e77c0f41b01df8
Opcode Fuzzy Hash: c735bd86b989f57711daf011a1e525990a8841db29d9524a596a21d26648a5ad
Instruction Fuzzy Hash: B1110EB2400305BFDB18AF54DCC6D6BB7B8EB04714B20802FE44697251EB74BC49CA68

Function 004AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD650

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction ID: 1b06602acabd91302bb7a19b2fa79abae2ef08d1ac39c317b042863b07e3cfa6
Opcode Fuzzy Hash: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction Fuzzy Hash: 9B118E71E05228BFDB108F94DC84FAFBBBCEB45B50F108122F904E7290C2704A018BA5

Function 004A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004A16A1
FreeSid.ADVAPI32(?), ref: 004A16B1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction ID: efb30fc0a20b45eed527dd684e767c35939fcd3f2204346ed93ee6cb300e5277
Opcode Fuzzy Hash: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction Fuzzy Hash: F5F0F471951309FBDF00DFE49C89EAEBBBCEB08604F504566E501E2191E774AA448A54

Function 0049D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0049D28C

Strings

X64, xrefs: 0049D2A8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction ID: 734f1a1bde815913a2b2a7cc941b9f8216ad4db7586b15f7583691761827c3a3
Opcode Fuzzy Hash: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction Fuzzy Hash: C2D0C9B480111DEACF90CB90DCC8DD9B77CBB04305F1001A2F506A2080D73495498F14

Function 0046CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a49604b0a8cf665cd8463bd6c77995f2e619b4941bd74f44c5c4f825e86613b3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7023C71E002199BDF14CFA9C9C06AEBBF1EF48314F25816AD859E7380E735AA418B95

Function 0044CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00490C40
p#Q, xrefs: 0044CF7F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#Q
API String ID: 0-1304417871
Opcode ID: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction ID: 4955907399058fe4d64edbb02d34fbc17f64c634521836ccf98309f09a2f46af
Opcode Fuzzy Hash: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction Fuzzy Hash: E1326F74901218DFEF54DF90C8C5AEEBBB5BF14308F14406AE8066B392D739AD4ACB59

Function 004B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B6918
FindClose.KERNEL32(00000000), ref: 004B6961

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction ID: d5ec47cf6335c2765dda0dd5d156a17e05789ea9ca22c3413d45d5f0878e129f
Opcode Fuzzy Hash: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction Fuzzy Hash: 8811B1716042019FD710CF29C4C4A16BBE1EF84328F05C6AEE8698F3A2C738EC05CB95

Function 004B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37F4

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction ID: 81dfd3efca53ddf08967eff486ac09601e485db0ee064c2cf052da5bbdd0c69f
Opcode Fuzzy Hash: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction Fuzzy Hash: 3FF0EC706052256AE71017675C8DFDB775DDFC4765F000577F509D2291D9605D04C7F4

Function 004AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004AB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 004AB270

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction ID: fba9bd707d67451d49d0367afa86847768372b964fff45d4700d97e3dfce5943
Opcode Fuzzy Hash: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction Fuzzy Hash: A6F01D7180424EABDB059FA0C809BAE7BB4FF05305F00805AF955A5192C3798611DF98

Function 004A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cfe2f13acf338322bfe11de8c7952e9e3c0b5a410e8de3e4f33a72c635e74d9e
Instruction ID: 7e87f6b1aaf0d90fb2dfc146f92f1287e2f8313f7cb78d2a704a0ff2f28c7937
Opcode Fuzzy Hash: cfe2f13acf338322bfe11de8c7952e9e3c0b5a410e8de3e4f33a72c635e74d9e
Instruction Fuzzy Hash: 28E04F32008601AEE7252B51FC06E7377A9EB04311F10882FF8A6804B1DB626C94DB58

Function 0047676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00476766,?,?,00000008,?,?,0047FEFE,00000000), ref: 00476998

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction ID: 0378190187dc7540a1275503067bb9a54484b0a429184b369f2932314014023a
Opcode Fuzzy Hash: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction Fuzzy Hash: 13B16B71510A089FD718CF28C486BA57BA1FF05364F26C659E89DCF2A2C339D986CB45

Function 0045B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0049851F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction ID: ad2cf314a3b34f329804843ce6f97904ddb43e39242f8db7c5060f0fc8213c2d
Opcode Fuzzy Hash: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction Fuzzy Hash: 581251719002199BDF24CF58C8806EEB7B5FF49710F1481ABE849EB252DB389A85CF95

Function 004BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004BEABD

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction ID: baf6dfd076fc7403a12d4b4a14966c8bb1ccb9d47327505adec3b2de9af79efe
Opcode Fuzzy Hash: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction Fuzzy Hash: E0E01A31200204AFD710EF6AD844E9AF7EDAF98764F00842BFC49C7391DA78E8418BA5

Function 004609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004603EE), ref: 004609DA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction ID: 8769f1eebe6eedeba84163d246e6da1af2c11fc35e9b854ab28933c19d62ad36
Opcode Fuzzy Hash: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction Fuzzy Hash:

Function 0046781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0046798B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 53903b253fd0543935c4c6df2e76f2c87a8f1ce5777cb161b363507de66416eb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E25137A160C70556EB38A67988997BF27D59B0234CF180A0FD882D7382F61DDE4AD35F

Function 004B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&Q, xrefs: 004B2053

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0&Q
API String ID: 0-77127364
Opcode ID: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction ID: 1b50203392b4f2da0cd0a0bd67a3b99b7fbd7eefba1e9b7c4f6edad1624c2e9c
Opcode Fuzzy Hash: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction Fuzzy Hash: 69210A323206118BD728CF79C9236BE73E5A764310F148A2EE4A7C33D0DE79A904DB94

Function 00476DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction ID: 4637db1ee3c7294b1be8df48d5a901ef34a8a28ce6b9cf6155db6647c8bcba82
Opcode Fuzzy Hash: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction Fuzzy Hash: 7F326522D29F414DD7239638CD62336A64DAFB33C4F55C737E81AB9EA6EB68C4834104

Function 0045CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction ID: d74e644c32553d6df23c73f437fdfad0e03b64778444c32f5175f0e27aa1f299
Opcode Fuzzy Hash: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction Fuzzy Hash: 0232F132A002458FDF29CE29C4D467E7FA1EB45305F28857BD85A8B392D23CDD86DB49

Function 00447920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ce11ef8e955cf556cc3dca73df54b8cc612a5d5e60628350a47aa5a8359cb5
Instruction ID: ff10ccb107c76f1cb4ed4dfef90ef5e0256d7fbb2f51c2addd56fa35d9cc58ac
Opcode Fuzzy Hash: 34ce11ef8e955cf556cc3dca73df54b8cc612a5d5e60628350a47aa5a8359cb5
Instruction Fuzzy Hash: 2D22D2B0A00609DFEF14DF65C881AAEB3F5FF44304F14452AE816E7291EB39AD16CB59

Function 004491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc7d63480ba43865327e9e2d77edd46c16d17e4622fd0e7a69e7d23e2ed5ae9
Instruction ID: 5a4fb86a5b3acd1c285fc18b7411f9743ac50aadd3a1c678aa753ea5cede3d0f
Opcode Fuzzy Hash: 1fc7d63480ba43865327e9e2d77edd46c16d17e4622fd0e7a69e7d23e2ed5ae9
Instruction Fuzzy Hash: ED02D6B0E00105EBDB04EF55D881AAEB7B5FF44304F10856AE806DB391EB39EE15DB89

Function 00479EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction ID: d8996e45673a419eaa9a08446e3d471eae6bdf47ee7dada0f54b1a1ad81ce26e
Opcode Fuzzy Hash: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction Fuzzy Hash: B4B12630D2AF804DD3239A398875336B65CAFBB6C6F51D72BFC1679D62EB2185834144

Function 00461C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 3343b3b88fa119a55e0a7cddb3b6427d3b1ce1e4f5666fef1197bface83dddaa
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A89178725080E34ADB2D463A857443FFFE15A523A131E079FD4F2CA2E1FE18D958E626

Function 00461F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 47d295c57fb61189cb4869227df42b4488b4284af0e89ea4674ad25ef6761686
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: AA91A77220C4E319DB6D4239853407FFFE15A923A130E079FD4F2CA2D1FE688558E626

Function 004619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4179e4ad15eb78a35a3124924815861f9fe2ec59f9ebd0cd56f825dc8297d203
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 939186722090E34ADB2D427A857403FFFE15A927A231D079FD4F2CA2E1FD189558E626

Function 00467A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction ID: f9b0e94c949542d76cdd522a58dae2fd0269ae6099d9eb58a6f4f594febf9451
Opcode Fuzzy Hash: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction Fuzzy Hash: 4D61697120870956DA349A6888A5BBF3394DF41B4CF140A1FE842DB382FA5DAE42C71F

Function 00467CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction ID: 5b7482d8300e428b0e347fc3a4e5288de62faedfa84c3b2d05207cf2a7c48649
Opcode Fuzzy Hash: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction Fuzzy Hash: B261797160870966DB388A289891BBF23849F4274CF100D5FE943DB381FA1E9D46835F

Function 00461706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bbe3e50b3ba7076f783f5d83efee7e301d39d003d11c23f799106d78cff09464
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 898167725090E309DB5D463A857443FFFE15A923A231E079FD4F2CB2E1FD188558E626

Function 004C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004C2B30
DeleteObject.GDI32(00000000), ref: 004C2B43
DestroyWindow.USER32 ref: 004C2B52
GetDesktopWindow.USER32 ref: 004C2B6D
GetWindowRect.USER32(00000000), ref: 004C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2CF8
GetClientRect.USER32(00000000,?), ref: 004C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D80
GlobalLock.KERNEL32(00000000), ref: 004C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D98
GlobalUnlock.KERNEL32(00000000), ref: 004C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2DA8
GlobalFree.KERNEL32(00000000), ref: 004C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004DFC38,00000000), ref: 004C2DDB
GlobalFree.KERNEL32(00000000), ref: 004C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C303F

Strings

static, xrefs: 004C2D3A, 004C2E91
DISPLAY, xrefs: 004C2EA2
AutoIt v3, xrefs: 004C2CF2
, xrefs: 004C2FC5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction ID: b113b5b381bce7ef4e4d4482505129303358bef4fef47705c3c1614cf89de3ab
Opcode Fuzzy Hash: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction Fuzzy Hash: 6202AD75900219AFDB14DF64CD89EAE7BB9EB48314F00855EF915AB2A0CB74ED01CB68

Function 004D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004D712F
GetSysColorBrush.USER32(0000000F), ref: 004D7160
GetSysColor.USER32(0000000F), ref: 004D716C
SetBkColor.GDI32(?,000000FF), ref: 004D7186
SelectObject.GDI32(?,?), ref: 004D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004D71C0
GetSysColor.USER32(00000010), ref: 004D71C8
CreateSolidBrush.GDI32(00000000), ref: 004D71CF
FrameRect.USER32(?,?,00000000), ref: 004D71DE
DeleteObject.GDI32(00000000), ref: 004D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004D7230
FillRect.USER32(?,?,?), ref: 004D7262
GetWindowLongW.USER32(?,000000F0), ref: 004D7284

Part of subcall function 004D73E8: GetSysColor.USER32(00000012), ref: 004D7421
Part of subcall function 004D73E8: SetTextColor.GDI32(?,?), ref: 004D7425
Part of subcall function 004D73E8: GetSysColorBrush.USER32(0000000F), ref: 004D743B
Part of subcall function 004D73E8: GetSysColor.USER32(0000000F), ref: 004D7446
Part of subcall function 004D73E8: GetSysColor.USER32(00000011), ref: 004D7463
Part of subcall function 004D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
Part of subcall function 004D73E8: SelectObject.GDI32(?,00000000), ref: 004D7482
Part of subcall function 004D73E8: SetBkColor.GDI32(?,00000000), ref: 004D748B
Part of subcall function 004D73E8: SelectObject.GDI32(?,?), ref: 004D7498
Part of subcall function 004D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
Part of subcall function 004D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
Part of subcall function 004D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 489fbfe9db752468dcd3fb471e7b518e1a77b2acdc7d133884c2aa4490781ba6
Instruction ID: bc57eb5a331f874e6a3c7fb9b84825649343014f27a923318a245a8af5d93b3c
Opcode Fuzzy Hash: 489fbfe9db752468dcd3fb471e7b518e1a77b2acdc7d133884c2aa4490781ba6
Instruction Fuzzy Hash: 60A1A372009312BFDB019F60DC98A5FBBA9FB49320F100B2BF962962E1D734D945CB56

Function 00458D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00458E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00496AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00496AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00496F43

Part of subcall function 00458F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00458BE8,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458FC5

SendMessageW.USER32(?,00001053), ref: 00496F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00496F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00496FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00496FB7

Strings

0, xrefs: 00496DCF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 8bf8d7994af29f11acc6eb56cb45820537962997ddabdb0e9e05a1741c6da335
Instruction ID: 34725f0324fea6d8e91ce1641199166278bb709c24b229043e517bd5c56bd604
Opcode Fuzzy Hash: 8bf8d7994af29f11acc6eb56cb45820537962997ddabdb0e9e05a1741c6da335
Instruction Fuzzy Hash: C112CC30201611AFCB21CF24C895BAABBF1FB44301F15817EF995DB262CB39E856DB59

Function 004C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004C2900
GetClientRect.USER32(00000000,?), ref: 004C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004C2964
GetStockObject.GDI32(00000011), ref: 004C2974
SelectObject.GDI32(00000000,00000000), ref: 004C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C2991
DeleteDC.GDI32(00000000), ref: 004C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 004C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004C2A77
GetStockObject.GDI32(00000011), ref: 004C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004C2A97

Strings

static, xrefs: 004C294F, 004C2A71
DISPLAY, xrefs: 004C295A
AutoIt v3, xrefs: 004C28F8
msctls_progress32, xrefs: 004C2A13

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction ID: abfd03025e7fd1e7acbd8d4a2ba50739fbb682fe9c819363f75a4a247877d31e
Opcode Fuzzy Hash: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction Fuzzy Hash: C1B16F75A00615BFEB14DF68CD85FAE7BA9EB04714F00855AFA14E7290D7B4ED00CBA8

Function 004B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4AED
GetDriveTypeW.KERNEL32(?,004DCB68,?,\\.\,004DCC08), ref: 004B4BCA
SetErrorMode.KERNEL32(00000000,004DCB68,?,\\.\,004DCC08), ref: 004B4D36

Strings

Network, xrefs: 004B4C02
Fibre, xrefs: 004B4CAD
CDROM, xrefs: 004B4BFB
ATAPI, xrefs: 004B4C91
RAMDisk, xrefs: 004B4BF4
RAID, xrefs: 004B4CBB
SSA, xrefs: 004B4CA6
ATA, xrefs: 004B4C98
USB, xrefs: 004B4CB4
iSCSI, xrefs: 004B4CC2
Fixed, xrefs: 004B4C09
SCSI, xrefs: 004B4C8A
SSD, xrefs: 004B4C4A
Unknown, xrefs: 004B4BED, 004B4C83
MMC, xrefs: 004B4CDE
Removable, xrefs: 004B4C10, 004B4C15
SAS, xrefs: 004B4CC9
Virtual, xrefs: 004B4CE5
PhysicalDrive, xrefs: 004B4B76
1394, xrefs: 004B4C9F
FileBackedVirtual, xrefs: 004B4CEC
SATA, xrefs: 004B4CD0
\\.\, xrefs: 004B4B3F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction ID: 27b65e6b2ab6cfef94a938956f02251ba264796e8b788333bb70e32f7af41407
Opcode Fuzzy Hash: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction Fuzzy Hash: 5B61C2316051069BDB04DF24C9829BD7FB0BB84B04B21401BF806AB693DB3DED56DB7A

Function 004D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004D7421
SetTextColor.GDI32(?,?), ref: 004D7425
GetSysColorBrush.USER32(0000000F), ref: 004D743B
GetSysColor.USER32(0000000F), ref: 004D7446
CreateSolidBrush.GDI32(?), ref: 004D744B
GetSysColor.USER32(00000011), ref: 004D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
SelectObject.GDI32(?,00000000), ref: 004D7482
SetBkColor.GDI32(?,00000000), ref: 004D748B
SelectObject.GDI32(?,?), ref: 004D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004D7572
DrawFocusRect.USER32(?,?), ref: 004D757D
GetSysColor.USER32(00000011), ref: 004D758E
SetTextColor.GDI32(?,00000000), ref: 004D7596
DrawTextW.USER32(?,004D70F5,000000FF,?,00000000), ref: 004D75A8
SelectObject.GDI32(?,?), ref: 004D75BF
DeleteObject.GDI32(?), ref: 004D75CA
SelectObject.GDI32(?,?), ref: 004D75D0
DeleteObject.GDI32(?), ref: 004D75D5
SetTextColor.GDI32(?,?), ref: 004D75DB
SetBkColor.GDI32(?,?), ref: 004D75E5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 04034037cca101bddfc149e637594aecfc579e045bf6f0dca48e0b498f45ac00
Instruction ID: dacbb7c5bf845b16eafbb12b5df97f7bd8f2982f2583530a527fa50dd12e6602
Opcode Fuzzy Hash: 04034037cca101bddfc149e637594aecfc579e045bf6f0dca48e0b498f45ac00
Instruction Fuzzy Hash: B1616F72901219BFDF019FA4DC99EEEBFB9EB08320F114126F915AB2A1D7749940CF94

Function 004D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004D1128
GetDesktopWindow.USER32 ref: 004D113D
GetWindowRect.USER32(00000000), ref: 004D1144
GetWindowLongW.USER32(?,000000F0), ref: 004D1199
DestroyWindow.USER32(?), ref: 004D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004D1245
IsWindowVisible.USER32(00000000), ref: 004D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004D12D0
GetWindowRect.USER32(00000000,?), ref: 004D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004D130E
GetMonitorInfoW.USER32(00000000,?), ref: 004D1328
CopyRect.USER32(?,?), ref: 004D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004D13AA

Strings

(, xrefs: 004D131B
tooltips_class32, xrefs: 004D11E6
0, xrefs: 004D10D3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction ID: 2b911623660c9ddfee3a924f2aa64887f479ab1a51c19e5966284ee3d1b22407
Opcode Fuzzy Hash: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction Fuzzy Hash: 48B18C71604341AFE700DF65C885B6BBBE4FF88354F00891EF9999B2A1C735E845CB9A

Function 00458891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00458968
GetSystemMetrics.USER32(00000007), ref: 00458970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0045899B
GetSystemMetrics.USER32(00000008), ref: 004589A3
GetSystemMetrics.USER32(00000004), ref: 004589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00458A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00458A3C
GetClientRect.USER32(00000000,000000FF), ref: 00458A5A
GetStockObject.GDI32(00000011), ref: 00458A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00458A81

Part of subcall function 0045912D: GetCursorPos.USER32(?), ref: 00459141
Part of subcall function 0045912D: ScreenToClient.USER32(00000000,?), ref: 0045915E
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000001), ref: 00459183
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000002), ref: 0045919D

SetTimer.USER32(00000000,00000000,00000028,004590FC), ref: 00458AA8

Strings

AutoIt v3 GUI, xrefs: 00458A20

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction ID: f4c780a6d50e5c692f42af5c7bd3db35a16bc03e5d882472c14e0e4a60cba9e0
Opcode Fuzzy Hash: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction Fuzzy Hash: 1AB19E7160020AAFDF04DFA8DC85BAE3BB4FB48315F11416AFA15A7290DB38E845CB59

Function 004A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0E29
GetLengthSid.ADVAPI32(?), ref: 004A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0E96
GetLengthSid.ADVAPI32(?), ref: 004A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0EB5
HeapAlloc.KERNEL32(00000000), ref: 004A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0EDD
CopySid.ADVAPI32(00000000), ref: 004A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F6E
HeapFree.KERNEL32(00000000), ref: 004A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F7E
HeapFree.KERNEL32(00000000), ref: 004A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F8E
HeapFree.KERNEL32(00000000), ref: 004A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0FA1
HeapFree.KERNEL32(00000000), ref: 004A0FA8

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction ID: 74a062688efe43c25306db39c933e223afc6a4dba787d852820be6e4701bb3b3
Opcode Fuzzy Hash: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction Fuzzy Hash: F0716D7190121AEFDF209FA4DC84BAFBBB8BF1A301F044126F919B6291D775D905CB68

Function 004CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004DCC08,00000000,?,00000000,?,?), ref: 004CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004CC5A4
_wcslen.LIBCMT ref: 004CC5F4
_wcslen.LIBCMT ref: 004CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004CC84D
RegCloseKey.ADVAPI32(?), ref: 004CC881
RegCloseKey.ADVAPI32(00000000), ref: 004CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004CC960

Strings

REG_BINARY, xrefs: 004CC913
REG_EXPAND_SZ, xrefs: 004CC5CD
REG_MULTI_SZ, xrefs: 004CC6F5
REG_DWORD, xrefs: 004CC804
REG_SZ, xrefs: 004CC644
REG_QWORD, xrefs: 004CC8C3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4c5f19c6d512e3f3f1f97aff56d49e9e1e275d8c16b9924f203592361b7af210
Instruction ID: 47c3bcd7b1295367621c62b4be0f2a43f1b597097f1946c23e88bb1145838f63
Opcode Fuzzy Hash: 4c5f19c6d512e3f3f1f97aff56d49e9e1e275d8c16b9924f203592361b7af210
Instruction Fuzzy Hash: 51127C35604211AFDB14DF15C481F2AB7E5EF88758F04885EF84A9B3A2DB39EC41CB99

Function 004D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D09C6
_wcslen.LIBCMT ref: 004D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D0A54
_wcslen.LIBCMT ref: 004D0A8A
_wcslen.LIBCMT ref: 004D0B06
_wcslen.LIBCMT ref: 004D0B81

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

Part of subcall function 004A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A2BFA

Strings

SELECT, xrefs: 004D0D11
COLLAPSE, xrefs: 004D0B01, 004D0B1C
GETSELECTED, xrefs: 004D0C4E
GETITEMCOUNT, xrefs: 004D0C1E
ISCHECKED, xrefs: 004D0CE1
CHECK, xrefs: 004D0A85, 004D0AA0
GETTEXT, xrefs: 004D0C97
EXISTS, xrefs: 004D0B7C, 004D0B97
EXPAND, xrefs: 004D0BF8
GETTOTALCOUNT, xrefs: 004D09F2, 004D0A17
UNCHECK, xrefs: 004D0D3E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction ID: d8d6a5fd7b41486e3cc6cd57e964e7b1eeac48dfdee597c5830f92ba6392fa2b
Opcode Fuzzy Hash: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction Fuzzy Hash: 04E17C316087019FC714DF25C460A2AB7E1BF98318F14495FF8965B3A2D739ED4ACB8A

Function 004CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
_wcslen.LIBCMT ref: 004CC9F1
_wcslen.LIBCMT ref: 004CCA68
_wcslen.LIBCMT ref: 004CCA9E
_wcslen.LIBCMT ref: 004CCAF9
_wcslen.LIBCMT ref: 004CCB2F
_wcslen.LIBCMT ref: 004CCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 004CCB79, 004CCB7E
HKCR, xrefs: 004CCB29, 004CCB2E
HKEY_CURRENT_USER, xrefs: 004CCBBD
HKCU, xrefs: 004CCBCE
HKEY_CLASSES_ROOT, xrefs: 004CCAF3, 004CCAF8
HKCC, xrefs: 004CCBAC
HKU, xrefs: 004CCBF0
HKLM, xrefs: 004CCA98, 004CCA9D
HKEY_USERS, xrefs: 004CCBDF
HKEY_LOCAL_MACHINE, xrefs: 004CCA62, 004CCA67

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction ID: e0d0e9f7f9e9d9e2d5ca14b48231ab727a9f62f603bac46fa804e75069288831
Opcode Fuzzy Hash: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction Fuzzy Hash: 5871073AA0052A8BCB50DE799881FBF3391AB64754B10012EF85A97384F639DD45C359

Function 004D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D835A
_wcslen.LIBCMT ref: 004D836E
_wcslen.LIBCMT ref: 004D8391
_wcslen.LIBCMT ref: 004D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,004D361A,?), ref: 004D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8501
FreeLibrary.KERNEL32(?), ref: 004D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004D851D
DestroyIcon.USER32(?), ref: 004D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004D8555

Strings

.exe, xrefs: 004D8388
.dll, xrefs: 004D83AB
.icl, xrefs: 004D8368

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction ID: 59b780dae6f6179a7f88121e31e1c5ba122b7f3154a9001b7b207d5aae5a4591
Opcode Fuzzy Hash: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction Fuzzy Hash: 1C611371A00215BAEB14CF64DC91BBF77A8FB04711F10460FF815D62D1EB78A940C7A8

Function 00447778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0044785F, 004478B1
#ce, xrefs: 004478ED
Bad directive syntax error, xrefs: 0048519A
", xrefs: 00485153
#include-once, xrefs: 0044782F
Cannot parse #include, xrefs: 00485279
#comments-end, xrefs: 004478D9
Unterminated group of comments, xrefs: 0048528C
#include, xrefs: 00447847
#OnAutoItStartRegister, xrefs: 00447817
#requireadmin, xrefs: 004477FF
#cs, xrefs: 00447873, 004478C5
', xrefs: 00485169
#pragma compile, xrefs: 004477D3
#notrayicon, xrefs: 004477E7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 38d962144bae030dcc436dd2410536b898bfe6c24eb596e0952a69c567ed73e9
Instruction ID: 4281426903323de7a0a1442354c89715cd5a66f6238ab3ba75e102bdac81254b
Opcode Fuzzy Hash: 38d962144bae030dcc436dd2410536b898bfe6c24eb596e0952a69c567ed73e9
Instruction Fuzzy Hash: 88811871A00605BBEB21BF61DC42FAF3764AF15304F04442BF905AA292EB7DD916C79E

Function 004B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004B3EF8
_wcslen.LIBCMT ref: 004B3F03
_wcslen.LIBCMT ref: 004B3F5A
_wcslen.LIBCMT ref: 004B3F98
GetDriveTypeW.KERNEL32(?), ref: 004B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4087

Strings

close, xrefs: 004B3EFE, 004B3F18
open, xrefs: 004B3F54, 004B3F59
closed, xrefs: 004B3F08, 004B3F2D, 004B3F46, 004B3F7E, 004B3F97
type cdaudio alias cd wait, xrefs: 004B4001
wait, xrefs: 004B4044
open , xrefs: 004B3FE5
close cd wait, xrefs: 004B4072
set cd door , xrefs: 004B4028

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction ID: 1ce07d22fa5b8af40b0a5523f7563b236c5d83b20cfdb3214e198a8f53734751
Opcode Fuzzy Hash: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction Fuzzy Hash: DD71DF326042129FD310EF25C8818ABB7F4FF94758F00492EF89597291EB38ED49CB66

Function 004A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004A5A40
SetWindowTextW.USER32(?,?), ref: 004A5A57
GetDlgItem.USER32(?,000003EA), ref: 004A5A6C
SetWindowTextW.USER32(00000000,?), ref: 004A5A72
GetDlgItem.USER32(?,000003E9), ref: 004A5A82
SetWindowTextW.USER32(00000000,?), ref: 004A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004A5AC3
GetWindowRect.USER32(?,?), ref: 004A5ACC
_wcslen.LIBCMT ref: 004A5B33
SetWindowTextW.USER32(?,?), ref: 004A5B6F
GetDesktopWindow.USER32 ref: 004A5B75
GetWindowRect.USER32(00000000), ref: 004A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004A5BD3
GetClientRect.USER32(?,?), ref: 004A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004A5C2F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction ID: 772117a802ce897a0c165fbbbe222417f8abbcdc8da9b174d58084b0a8bb672f
Opcode Fuzzy Hash: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction Fuzzy Hash: 14719271A00B059FDB20DFA8CE85A6FBBF5FF58705F10452AE142A26A0D778F904CB18

Function 004BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 004BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 004BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 004BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 004BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 004BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 004BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 004BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 004BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 004BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 004BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 004BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 004BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 004BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 004BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 004BFECC
GetCursorInfo.USER32(?), ref: 004BFEDC
GetLastError.KERNEL32 ref: 004BFF1E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction ID: 9060a4fffcfc5d26cdec9ba8a755cf2864339faa3ff17f561eb5e660a3edcd0c
Opcode Fuzzy Hash: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction Fuzzy Hash: 034161B0D053196ADB10DFBA8C8986EBFE8FF04754B50452BE11DE7281DB78A901CEA5

Function 004A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A318D
_wcslen.LIBCMT ref: 004A31F8

Strings

INSTANCE, xrefs: 004A3453
CLASSNN, xrefs: 004A31F3, 004A3204
NAME, xrefs: 004A3335, 004A3346
[P, xrefs: 004A339A
CLASS, xrefs: 004A3188, 004A31A5
REGEXPCLASS, xrefs: 004A3255, 004A3266
TEXT, xrefs: 004A347C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[P
API String ID: 176396367-2337605258
Opcode ID: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction ID: 4202695980e25f4050cf88744d508a44e7a3126b48cae055a743837596620743
Opcode Fuzzy Hash: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction Fuzzy Hash: 48E1E532A00516ABCB14DF78C4517EFFBA0BF66715F14811BF456A7280FB38AE858B94

Function 004600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004600C6

Part of subcall function 004600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0051070C,00000FA0,FF3CCB28,?,?,?,?,004823B3,000000FF), ref: 0046011C
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004823B3,000000FF), ref: 00460127
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004823B3,000000FF), ref: 00460138
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0046014E
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0046015C
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0046016A
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00460195
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004601A0

___scrt_fastfail.LIBCMT ref: 004600E7

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

Strings

SleepConditionVariableCS, xrefs: 00460154
InitializeConditionVariable, xrefs: 00460148
kernel32.dll, xrefs: 00460133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00460122
WakeAllConditionVariable, xrefs: 00460162

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction ID: 0cb4fae7b5c52e93b0157d1dac7299b2a4f4ca9feb39c943511fc883ab3646b3
Opcode Fuzzy Hash: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction Fuzzy Hash: 33212C326417116BE7205B64AC46B9F3794DB06B51F10023BFC02D23D1EBAC5804CA9E

Function 004B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004DCC08), ref: 004B4527
_wcslen.LIBCMT ref: 004B453B
_wcslen.LIBCMT ref: 004B4599
_wcslen.LIBCMT ref: 004B45F4
_wcslen.LIBCMT ref: 004B463F
_wcslen.LIBCMT ref: 004B46A7

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

GetDriveTypeW.KERNEL32(?,00506BF0,00000061), ref: 004B4743

Strings

fixed, xrefs: 004B4635, 004B463A
unknown, xrefs: 004B4708
all, xrefs: 004B4531, 004B4536
removable, xrefs: 004B45EA, 004B45EF
cdrom, xrefs: 004B458F, 004B4594
ramdisk, xrefs: 004B46F1
network, xrefs: 004B469D, 004B46A2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction ID: 9e63dadc3888284e2c75a1c04aa69ff4858260facebb9894a86cfaf445a65aae
Opcode Fuzzy Hash: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction Fuzzy Hash: 61B102716083029BC710DF29C890AABB7E5AFE5724F10491EF496C7392EB38D845CA66

Function 004D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DragQueryPoint.SHELL32(?,?), ref: 004D9147

Part of subcall function 004D7674: ClientToScreen.USER32(?,?), ref: 004D769A
Part of subcall function 004D7674: GetWindowRect.USER32(?,?), ref: 004D7710
Part of subcall function 004D7674: PtInRect.USER32(?,?,004D8B89), ref: 004D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9277
DragFinish.SHELL32(?), ref: 004D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004D9371

Strings

@GUI_DRAGID, xrefs: 004D92E9
@GUI_DRAGFILE, xrefs: 004D9320
p#Q, xrefs: 004D92BB
@GUI_DROPID, xrefs: 004D929E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#Q
API String ID: 221274066-1814383935
Opcode ID: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction ID: 6d3425b93d7e6b11737a42ab6cd0816991145cc34951e4b4185837d3ad10f331
Opcode Fuzzy Hash: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction Fuzzy Hash: 82617971108301AFD701EF65DC85DAFBBE8EF89354F00092FF595922A1DB349A49CB5A

Function 004C3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004DCC08), ref: 004C40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004C40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,004DCC08), ref: 004C40F2
FreeLibrary.KERNEL32(00000000,?,004DCC08), ref: 004C413E
StringFromGUID2.OLE32(?,?,00000028,?,004DCC08), ref: 004C41A8
SysFreeString.OLEAUT32(00000009), ref: 004C4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004C42C8
SysFreeString.OLEAUT32(?), ref: 004C42F2

Strings

kernel32.dll, xrefs: 004C40B6
GetModuleHandleExW, xrefs: 004C40C7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: db00c5f71bcb1cb87fcfb2d6c49d7afb10271b7f8ec90f9d914bade49a58d7b9
Instruction ID: 0ec28213cbabaf7658e11af4170e8776df5d22797ab0fe4e8905a283d7057238
Opcode Fuzzy Hash: db00c5f71bcb1cb87fcfb2d6c49d7afb10271b7f8ec90f9d914bade49a58d7b9
Instruction Fuzzy Hash: 71126A79A00105EFDB54CF94C998FAEB7B5BF84318F24809EE9059B251CB35ED42CBA4

Function 0044326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00511990), ref: 00482F8D
GetMenuItemCount.USER32(00511990), ref: 0048303D
GetCursorPos.USER32(?), ref: 00483081
SetForegroundWindow.USER32(00000000), ref: 0048308A
TrackPopupMenuEx.USER32(00511990,00000000,?,00000000,00000000,00000000), ref: 0048309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004830A9

Strings

0, xrefs: 0044327D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction ID: 40eb11ddb95f34d65565841547660b33d72519578a65b558450ec61545f3adea
Opcode Fuzzy Hash: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction Fuzzy Hash: 64711630640216BAFB219F25CD89FAEBF64FF05724F204257F614662E0C7F9A910DB99

Function 004D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004D6DEB

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6E94
DestroyWindow.USER32(?), ref: 004D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00440000,00000000), ref: 004D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6EFD
GetDesktopWindow.USER32 ref: 004D6F16
GetWindowRect.USER32(00000000), ref: 004D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004D6F4D

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

Strings

tooltips_class32, xrefs: 004D6E58, 004D6EDD
0, xrefs: 004D6D98

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction ID: ab110c9c65ac116654aaf94f118da227ad4eb751781689f20c36eb2d8d67042a
Opcode Fuzzy Hash: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction Fuzzy Hash: CB717970104645AFDB21CF18D898AABBBFAFB89304F05441FF99987361C774E909DB1A

Function 004BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC5F0
InternetCloseHandle.WININET(00000000), ref: 004BC5FB

Strings

, xrefs: 004BC575

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction ID: 8b5ee0e386a7dee170b546b570e7c1aeec5ee908da8c5b19d2f3fd95f559766d
Opcode Fuzzy Hash: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction Fuzzy Hash: B1513BB1501209BFDB219F65C9C8AAB7BBCEF08754F00442BF945D6250DB38EA44DBB9

Function 004D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 004D8592
GetFileSize.KERNEL32(00000000,00000000), ref: 004D85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 004D85AD
CloseHandle.KERNEL32(00000000), ref: 004D85BA
GlobalLock.KERNEL32(00000000), ref: 004D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004D85D7
GlobalUnlock.KERNEL32(00000000), ref: 004D85E0
CloseHandle.KERNEL32(00000000), ref: 004D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004D85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,004DFC38,?), ref: 004D8611
GlobalFree.KERNEL32(00000000), ref: 004D8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 004D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004D8671
DeleteObject.GDI32(00000000), ref: 004D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004D86AF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction ID: 34e5e88000cd8989c920addd1f1e9efa5710274dde80d5013b5116a9112b4fe0
Opcode Fuzzy Hash: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction Fuzzy Hash: E6411875601209AFDB119FA5DC98EAF7BBCEF89B11F10416AF905E7260DB349901CB28

Function 004B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004B1502
VariantCopy.OLEAUT32(?,?), ref: 004B150B
VariantClear.OLEAUT32(?), ref: 004B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004B1657
VariantInit.OLEAUT32(?), ref: 004B1708
SysFreeString.OLEAUT32(?), ref: 004B178C
VariantClear.OLEAUT32(?), ref: 004B17D8
VariantClear.OLEAUT32(?), ref: 004B17E7
VariantInit.OLEAUT32(00000000), ref: 004B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004B1625
Default, xrefs: 004B16AF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b0945e463dd4627f31524a6d2bd4fdb78b28e20600b733dadcff96531be9ef32
Instruction ID: fa72a18a57bf4829436b30c01ea69df76f23a9b0913c8c471c9adaddefe3561e
Opcode Fuzzy Hash: b0945e463dd4627f31524a6d2bd4fdb78b28e20600b733dadcff96531be9ef32
Instruction Fuzzy Hash: E9D12571600105EBDB209F65E894BBEB7B5BF44700F94405BF8079B2A1DB38DC49DB6A

Function 004CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 004CB80A
RegCloseKey.ADVAPI32(?), ref: 004CB87E
RegCloseKey.ADVAPI32(?), ref: 004CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 004CB922
FreeLibrary.KERNEL32(00000000), ref: 004CB983
RegCloseKey.ADVAPI32(00000000), ref: 004CB994

Strings

advapi32.dll, xrefs: 004CB8ED
RegDeleteKeyExW, xrefs: 004CB8FE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction ID: 347e06d35d53e4381452192e9f0146ddbdc994d2d4b015ed39e777a79e9d7f5f
Opcode Fuzzy Hash: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction Fuzzy Hash: A5C17D74205201AFD750DF15C495F2ABBE5FF84308F14855EE49A8B3A2CB39EC45CB96

Function 004C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004C25E8
CreateCompatibleDC.GDI32(?), ref: 004C25F4
SelectObject.GDI32(00000000,?), ref: 004C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004C26D0
SelectObject.GDI32(?,?), ref: 004C26D8
DeleteObject.GDI32(?), ref: 004C26E1
DeleteDC.GDI32(?), ref: 004C26E8
ReleaseDC.USER32(00000000,?), ref: 004C26F3

Strings

(, xrefs: 004C268D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fbd67658ae60b3fd6529da8495c870f13a97ee54a93308682e9e6ee4d97aba1a
Instruction ID: e6b935ce2dee1fbee1f7bcf5ef5f191660b016e06d10394a9b79d406cb03973e
Opcode Fuzzy Hash: fbd67658ae60b3fd6529da8495c870f13a97ee54a93308682e9e6ee4d97aba1a
Instruction Fuzzy Hash: E261E275D01219EFCF04CFA4D984EAEBBB5FF48310F20852AE955A7250D774A941CF64

Function 0047DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0047DAA1

Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D659
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D66B
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D67D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D68F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6A1
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6B3
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6C5
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6D7
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6E9
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6FB
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D70D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D71F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D731

_free.LIBCMT ref: 0047DA96

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047DAB8
_free.LIBCMT ref: 0047DACD
_free.LIBCMT ref: 0047DAD8
_free.LIBCMT ref: 0047DAFA
_free.LIBCMT ref: 0047DB0D
_free.LIBCMT ref: 0047DB1B
_free.LIBCMT ref: 0047DB26
_free.LIBCMT ref: 0047DB5E
_free.LIBCMT ref: 0047DB65
_free.LIBCMT ref: 0047DB82
_free.LIBCMT ref: 0047DB9A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction ID: 4c41409aafb36992286527732a4f043fb73985f6c2a3f42bcf1f351109b273ff
Opcode Fuzzy Hash: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction Fuzzy Hash: D5316CB1A042059FDB21AA3AD941B9BB7E8FF00314F14842BE14DD7291DA78BC848728

Function 004A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004A369C
_wcslen.LIBCMT ref: 004A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004A3797
GetClassNameW.USER32(?,?,00000400), ref: 004A380C
GetDlgCtrlID.USER32(?), ref: 004A385D
GetWindowRect.USER32(?,?), ref: 004A3882
GetParent.USER32(?), ref: 004A38A0
ScreenToClient.USER32(00000000), ref: 004A38A7
GetClassNameW.USER32(?,?,00000100), ref: 004A3921
GetWindowTextW.USER32(?,?,00000400), ref: 004A395D

Strings

%s%u, xrefs: 004A3734

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction ID: 6ae17f8b9273ea31abe864e4f8453969fec46dcd7010c81b482319f29a0e3132
Opcode Fuzzy Hash: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction Fuzzy Hash: E891D5B1204606AFD714DF24C885BABF7E8FF55345F00852EF999C2290EB38EA45CB95

Function 004A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004A4994
GetWindowTextW.USER32(?,?,00000400), ref: 004A49DA
_wcslen.LIBCMT ref: 004A49EB
CharUpperBuffW.USER32(?,00000000), ref: 004A49F7
_wcsstr.LIBVCRUNTIME ref: 004A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004A4B20
GetWindowRect.USER32(?,?), ref: 004A4B8B

Strings

ThumbnailClass, xrefs: 004A4A6F, 004A4AF1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction ID: e405c71147f15f57a50106348d82258b32d6fc5d6d600da3ebef284a3c4d3ffd
Opcode Fuzzy Hash: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction Fuzzy Hash: C391BE710042059FDB04CF14C981BAB77A8FFE5314F04846BFD859A296EB78ED45CBAA

Function 004ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00511990,000000FF,00000000,00000030), ref: 004ABFAC
SetMenuItemInfoW.USER32(00511990,00000004,00000000,00000030), ref: 004ABFE1
Sleep.KERNEL32(000001F4), ref: 004ABFF3
GetMenuItemCount.USER32(?), ref: 004AC039
GetMenuItemID.USER32(?,00000000), ref: 004AC056
GetMenuItemID.USER32(?,-00000001), ref: 004AC082
GetMenuItemID.USER32(?,?), ref: 004AC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004AC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004AC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004AC145

Strings

0, xrefs: 004ABF3D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 382ea8949d54b2590382ec782b0de2f5e8d4d6dba2082fde063f235edd780010
Instruction ID: 5a1c92a5367c4342cc356fec4353f73c17e921a9eeec36160ae1ce8c0fd065fb
Opcode Fuzzy Hash: 382ea8949d54b2590382ec782b0de2f5e8d4d6dba2082fde063f235edd780010
Instruction Fuzzy Hash: 3361A3B0A0025AAFDF11CF64DDC8AEF7BB9EB16344F04415AF811A3292D739AD05CB65

Function 004CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD48

Part of subcall function 004CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004CCCAA
Part of subcall function 004CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004CCCBD
Part of subcall function 004CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CCCCF
Part of subcall function 004CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD05
Part of subcall function 004CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 004CCCF3

Strings

advapi32.dll, xrefs: 004CCCB8
RegDeleteKeyExW, xrefs: 004CCCC9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction ID: ffb223e39b25785f03960c2c364a4313e60c98bedd8421c9e1cf57b3ed978cf4
Opcode Fuzzy Hash: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction Fuzzy Hash: 4A318575901129BBDB218B90DCC8EFFBB7CEF15740F00417AF90AE2240DB385A45DAA4

Function 004B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004B3D40
_wcslen.LIBCMT ref: 004B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 004B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 004B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004B3E55
CloseHandle.KERNEL32(00000000), ref: 004B3E60
CloseHandle.KERNEL32(00000000), ref: 004B3E6B

Strings

\, xrefs: 004B3D77
:, xrefs: 004B3D82
\??\%s, xrefs: 004B3D5B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction ID: 08754eaa7001a7b4817f019c95b6c6d061dab0965e505b8c5f3f2c677e07ed88
Opcode Fuzzy Hash: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction Fuzzy Hash: C231817194021AAADB209FA1DC89FEF37BCAF88705F5041B6F50596160E7749744CB28

Function 004AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004AE6B4

Part of subcall function 0045E551: timeGetTime.WINMM(?,?,004AE6D4), ref: 0045E555

Sleep.KERNEL32(0000000A), ref: 004AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004AE727
SetActiveWindow.USER32 ref: 004AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004AE773
Sleep.KERNEL32(000000FA), ref: 004AE77E
IsWindow.USER32 ref: 004AE78A
EndDialog.USER32(00000000), ref: 004AE79B

Strings

BUTTON, xrefs: 004AE719

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction ID: f6da4834670e6d2ea9f03893ad32c68fc7e4e825dbcac4906026d6d3edbb2c7a
Opcode Fuzzy Hash: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction Fuzzy Hash: A8215074201206AFEF005F62ECC9B663B69E7B6349F504827F521822E1DF65AC14EA2C

Function 004AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004AEAA7

Strings

open , xrefs: 004AEA0C
status PlayMe mode, xrefs: 004AEA58
play PlayMe, xrefs: 004AEAA2
close PlayMe, xrefs: 004AEA6E, 004AEA9B
alias PlayMe, xrefs: 004AEA36
play PlayMe wait, xrefs: 004AEA91

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction ID: 1e0731cb1aef30cd31610be7b8619a7985704d62c5d5167a954ba3ad015adf7f
Opcode Fuzzy Hash: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction Fuzzy Hash: 6D117371A9025979E720A7A6DC4AEFF6EBCFBD2F04F44082B7811A20D1EE740D15C5B4

Function 004A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004A5CE2
GetWindowRect.USER32(00000000,?), ref: 004A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004A5D59
GetDlgItem.USER32(?,00000002), ref: 004A5D69
GetWindowRect.USER32(00000000,?), ref: 004A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004A5DCF
GetDlgItem.USER32(?,000003E9), ref: 004A5DDD
GetWindowRect.USER32(00000000,?), ref: 004A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004A5E31
GetDlgItem.USER32(?,000003EA), ref: 004A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004A5E67

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction ID: 8025beead35433bcbfa894cf3b113f742572bf09ba15338ab6817d2b57ff4699
Opcode Fuzzy Hash: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction Fuzzy Hash: 12511071B00606AFDF18CFA8DD89AAEBBB5FB59310F14812AF515E7290D7749E00CB54

Function 00458BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00458F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00458BE8,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458FC5

DestroyWindow.USER32(?), ref: 00458C81
KillTimer.USER32(00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00496973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000), ref: 004969D4
DeleteObject.GDI32(00000000), ref: 004969E6

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction ID: fac06a0071a65afe4b302710c687a75a5e5b44d627ce91bde6b78f4f3b106c70
Opcode Fuzzy Hash: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction Fuzzy Hash: 5361CD30102A01DFCF229F15D948B6A7BF1FB50316F10856FE542AA661CB39AC89DF9D

Function 00459838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetSysColor.USER32(0000000F), ref: 00459862

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction ID: 8a02076f2f5f77d2a994f8750f7b42d9ca51fd81e508833349f74abd47b5310b
Opcode Fuzzy Hash: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction Fuzzy Hash: D141B531115610EFDF206F389C84BBA3BA5AB06331F144627FDA28B2E2D7359C46DB19

Function 00478D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.F, xrefs: 0047903A, 00478FD0, 00478FF2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: .F
API String ID: 0-907655787
Opcode ID: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction ID: 560dff50c83d399baf38652766be966e7e62b981ef7fd5e6b8ab28a65cd7b694
Opcode Fuzzy Hash: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction Fuzzy Hash: 89C10874904285AFCF11DFA9D845BEEBBB0AF09314F04809FE55897392C7798D41CB69

Function 004A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004A9717
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9720

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004A9742
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004A9866

Strings

^ ERROR, xrefs: 004A97FB
Line %d:, xrefs: 004A97A0
Line %d (File "%s"):, xrefs: 004A978F
Error: , xrefs: 004A981D
%s (%d) : ==> %s: %s %s, xrefs: 004A984A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction ID: a4824d9b8aee4c59057fdb22b96538c762001f0df5a483f9f4ca1ee98f82a3e6
Opcode Fuzzy Hash: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction Fuzzy Hash: 91415E72800209AAEF04FFE1DD86DEE7778AF15744F50042AB60172092EB396F58DB69

Function 004A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A083C

Strings

SOFTWARE\Classes\, xrefs: 004A070E
\CLSID, xrefs: 004A0724
\IPC$, xrefs: 004A0784

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction ID: 6f3d916566a41965418ff5cec671c48d440b8f3260e7acd3b4bb56df12e57766
Opcode Fuzzy Hash: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction Fuzzy Hash: B3410A72C10229ABDF11EFA5DC95CEEB778FF14754F04452AE901A31A1EB385E14CB94

Function 004C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C3C5C
CoInitialize.OLE32(00000000), ref: 004C3C8A
CoUninitialize.OLE32 ref: 004C3C94
_wcslen.LIBCMT ref: 004C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 004C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 004C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004C3F0E
CoGetObject.OLE32(?,00000000,004DFB98,?), ref: 004C3F2D
SetErrorMode.KERNEL32(00000000), ref: 004C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004C3FC4
VariantClear.OLEAUT32(?), ref: 004C3FD8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction ID: a84987989226c92a782a6340020b9c0f8592ea422a3ab4dd241326cf1d4e666d
Opcode Fuzzy Hash: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction Fuzzy Hash: 75C135756082019FD740DF69C884E2BB7E9FF89749F00892EF98A9B250D734ED06CB56

Function 004B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004B7BA3
CoCreateInstance.OLE32(004DFD08,00000000,00000001,00506E6C,?), ref: 004B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004B7C74
CoTaskMemFree.OLE32(?,?), ref: 004B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004B7D7A
CoTaskMemFree.OLE32(00000000), ref: 004B7D81
CoTaskMemFree.OLE32(00000000), ref: 004B7DD6
CoUninitialize.OLE32 ref: 004B7DDC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 69cf2e86039d90273f96a5b11d6ab5540bafb89b4e50292e9f526d37fd42b566
Instruction ID: cc6026e57c6da63cc7bb305a9e306f3638dd18adce957f56392dec946a98acfc
Opcode Fuzzy Hash: 69cf2e86039d90273f96a5b11d6ab5540bafb89b4e50292e9f526d37fd42b566
Instruction Fuzzy Hash: CCC12B75A04105AFDB14DF64C888DAEBBB9FF48308B1484AAF81A9B361D734ED45CB94

Function 004D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D5515
CharNextW.USER32(00000158), ref: 004D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D55AC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction ID: dc48f658b94238dd445c9a0c68d609948e60eebcf3f12584cefca3247aed5bf2
Opcode Fuzzy Hash: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction Fuzzy Hash: CD61AF70900609ABDF10DF54CCA4AFF7BB9EB06360F10415BF925A6390DB788A81DB69

Function 0049FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0049FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0049FB08
VariantInit.OLEAUT32(?), ref: 0049FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0049FB3A
VariantCopy.OLEAUT32(?,?), ref: 0049FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0049FBA1
VariantClear.OLEAUT32(?), ref: 0049FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0049FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBCC
VariantClear.OLEAUT32(?), ref: 0049FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBE9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction ID: 86e55309b752d91e3dfeba8b2cec71db397338d54a7fc3cafeacdb9cc508c34a
Opcode Fuzzy Hash: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction Fuzzy Hash: AB415135A002199FCF00DF64C8989AEBFB9EF48344F00807AE915E7261D734A949CF94

Function 004A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004A9D22
GetKeyState.USER32(000000A0), ref: 004A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004A9D57
GetKeyState.USER32(000000A1), ref: 004A9D6C
GetAsyncKeyState.USER32(00000011), ref: 004A9D84
GetKeyState.USER32(00000011), ref: 004A9D96
GetAsyncKeyState.USER32(00000012), ref: 004A9DAE
GetKeyState.USER32(00000012), ref: 004A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004A9DD8
GetKeyState.USER32(0000005B), ref: 004A9DEA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction ID: 5c872d40948fecb9f7c062da0168a56dfb62cf8d837d3524ffaca164c31445d6
Opcode Fuzzy Hash: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction Fuzzy Hash: 4141B834504BCA69FF31966084443B7BEA06F33354F48805BD6C6567C2D7AD9DC4C79A

Function 004C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004C05BC
inet_addr.WSOCK32(?), ref: 004C061C
gethostbyname.WSOCK32(?), ref: 004C0628
IcmpCreateFile.IPHLPAPI ref: 004C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004C07B9
WSACleanup.WSOCK32 ref: 004C07BF

Strings

Ping, xrefs: 004C0676

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 50faa48f07d3bd07c09a2a8a8746c88cb0b3c38d8747cbf29f83989d5c0b752a
Instruction ID: 3cfc1af65c91c085351036befba3304f97affb0b364a81715ee517bbc7e92d1b
Opcode Fuzzy Hash: 50faa48f07d3bd07c09a2a8a8746c88cb0b3c38d8747cbf29f83989d5c0b752a
Instruction Fuzzy Hash: 51919B38609201EFD764DF15C489F1ABBE0AF44318F1485AEE4698B7A2C738ED45CF86

Function 004C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 004C8CF3

Part of subcall function 004A8E54: _wcslen.LIBCMT ref: 004A8E77

_wcslen.LIBCMT ref: 004C8D4E
_wcslen.LIBCMT ref: 004C8D9C
_wcslen.LIBCMT ref: 004C8DDC
_wcslen.LIBCMT ref: 004C8E6E

Strings

stdcall, xrefs: 004C8DD6, 004C8DDB
none, xrefs: 004C8E65, 004C8E6A
cdecl, xrefs: 004C8D48, 004C8D4D
winapi, xrefs: 004C8D96, 004C8D9B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction ID: a4c4cc91180ebd4aee95765531939b8e34d929b53150667649cbcfe8f671f405
Opcode Fuzzy Hash: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction Fuzzy Hash: EE519D35A001169BCB54DF68C940ABFB7A5BF65324B20422FE826E73C5EB39DD40C798

Function 004C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004C3774
CoUninitialize.OLE32 ref: 004C377F
CoCreateInstance.OLE32(?,00000000,00000017,004DFB78,?), ref: 004C37D9
IIDFromString.OLE32(?,?), ref: 004C384C
VariantInit.OLEAUT32(?), ref: 004C38E4
VariantClear.OLEAUT32(?), ref: 004C3936

Strings

Failed to create object, xrefs: 004C37E4, 004C389A
NULL Pointer assignment, xrefs: 004C381E
Invalid parameter, xrefs: 004C3865

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction ID: 51e5c8953608f785d01f228cb0cb84cbfdfbed3f063603b7ce6c74e9fb0b8530
Opcode Fuzzy Hash: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction Fuzzy Hash: 7C618274608301AFD310EF55C849F5AB7E4EF49716F00881EF54597291C778EE49CBAA

Function 004B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004B33CF

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004B33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 004B3522
Line %d (File "%s"):, xrefs: 004B3443, 004B345C
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3504
Error: , xrefs: 004B34D1
Incorrect parameters to object property !, xrefs: 004B34AB
^ ERROR , xrefs: 004B349E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction ID: 289b72da7b3a03d791f328ffb47dd04cfda2d24b2202c8020d0dbdd737c5f328
Opcode Fuzzy Hash: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction Fuzzy Hash: B651D231900109BAEF14EFA1CD46EEEB778AF14749F10406AF50572092DB392F58DB69

Function 004AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004AB5FC
_wcslen.LIBCMT ref: 004AB608
_wcslen.LIBCMT ref: 004AB64D
_wcslen.LIBCMT ref: 004AB68C
_wcslen.LIBCMT ref: 004AB6C7

Strings

APPEND, xrefs: 004AB6C1, 004AB6C6
KEYS, xrefs: 004AB647, 004AB64C
EXISTS, xrefs: 004AB686, 004AB68B
REMOVE, xrefs: 004AB602, 004AB607

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction ID: ed6aac5e941582bd447c76a36e75cdba909cc26188b70ef77df02fba8728d88d
Opcode Fuzzy Hash: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction Fuzzy Hash: 2441D432A001269ACB105F7D88905BF77A5EBB2758B24412BE461DB386E739CD81C7D5

Function 004B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004B5416
GetLastError.KERNEL32 ref: 004B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004B54A7

Strings

READY, xrefs: 004B5460, 004B5468
UNKNOWN, xrefs: 004B5444
INVALID, xrefs: 004B5459
NOTREADY, xrefs: 004B544B
READONLY, xrefs: 004B5452

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction ID: a361114cabaeffe2bd6bf3cbdc9f1ab1a491e4915d9ae7350a166f2db07b9c0d
Opcode Fuzzy Hash: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction Fuzzy Hash: BF318F35A006059FDB10DF68D488BEABBB4FB45309F14806BE405CB392D779DD86CBA5

Function 004D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004D3C79
SetMenu.USER32(?,00000000), ref: 004D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3D10
IsMenu.USER32(?), ref: 004D3D24
CreatePopupMenu.USER32 ref: 004D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3D5B
DrawMenuBar.USER32 ref: 004D3D63

Strings

0, xrefs: 004D3C54
F, xrefs: 004D3D4E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction ID: 45b9bb1d052f631ac3cf69eba3b1afcdba3fbbeb082fb1fee560747cae313cdb
Opcode Fuzzy Hash: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction Fuzzy Hash: 80417E75A0120AEFDF14CF64E8A4ADA77B6FF49351F14002AF94697360D734AA10CF59

Function 004A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004A1F64
GetDlgCtrlID.USER32 ref: 004A1F6F
GetParent.USER32 ref: 004A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1F8E
GetDlgCtrlID.USER32(?), ref: 004A1F97
GetParent.USER32(?), ref: 004A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1FAE

Strings

ListBox, xrefs: 004A1F21
ComboBox, xrefs: 004A1EEC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction ID: f5c7be50a931bf27c86910526ec7639202ce470d87a3b807a6d1f0486944582c
Opcode Fuzzy Hash: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction Fuzzy Hash: 9121B075900214BFDF04AFA0DC85DEEBBB8EF26354F00011BB961672E1DB389904DB68

Function 004A1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 004A2043
GetDlgCtrlID.USER32 ref: 004A204E
GetParent.USER32 ref: 004A206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A206D
GetDlgCtrlID.USER32(?), ref: 004A2076
GetParent.USER32(?), ref: 004A208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A208D

Strings

ListBox, xrefs: 004A2002
ComboBox, xrefs: 004A1FCD

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 971d5ede5c9fde8da13e69f7927e621dabf1bf9405b4205e876d6b2646b10c17
Instruction ID: 675c691d53afa790d77dcce7d8ee2ba19b9af5ce0010caea81e07894d3b04ead
Opcode Fuzzy Hash: 971d5ede5c9fde8da13e69f7927e621dabf1bf9405b4205e876d6b2646b10c17
Instruction Fuzzy Hash: 0721C275900214BBDF10AFA4CC85EEFBFB8EF16344F000017BA51A72A1DA799914EB68

Function 004D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004D3C13

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction ID: ef94fb0efb48d4861ed8a2e6318f36124b4d066f59b6d755ade031678a1fbff2
Opcode Fuzzy Hash: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction Fuzzy Hash: D1617975A00208AFDB10DFA8CC91EEE77B8EB09704F10419BFA15A73A2D774AE45DB54

Function 004AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB165
GetWindowThreadProcessId.USER32(00000000), ref: 004AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 004AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB21D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f7a79e6be196df47785fd8f7f86215ff970d9a9da1c1f2d71380e6a30f120684
Instruction ID: 7715f3740331e5420b40fd37d1d324d4b2eb97fd5e93cfde2c07094da488ee95
Opcode Fuzzy Hash: f7a79e6be196df47785fd8f7f86215ff970d9a9da1c1f2d71380e6a30f120684
Instruction Fuzzy Hash: E531A072541205BFDB109F64EC9CBAE7BA9FB76391F108057F900D6291E7B89904CFA8

Function 00472C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00472C94

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 00472CA0
_free.LIBCMT ref: 00472CAB
_free.LIBCMT ref: 00472CB6
_free.LIBCMT ref: 00472CC1
_free.LIBCMT ref: 00472CCC
_free.LIBCMT ref: 00472CD7
_free.LIBCMT ref: 00472CE2
_free.LIBCMT ref: 00472CED
_free.LIBCMT ref: 00472CFB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction ID: 0ba3b8f7b91fd406bf8d2d1919e05e77fa0f5982a4ff7400bf81e1149e669720
Opcode Fuzzy Hash: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction Fuzzy Hash: 52110AF5200008AFCB02EF65DA42CDD7B65FF05344F44809AFA4C5F222D675EE949B94

Function 004B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004B7FC1
GetFileAttributesW.KERNEL32(?), ref: 004B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 004B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B80B0

Strings

*.*, xrefs: 004B8066

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction ID: 56d5c8a5a28bd6807d202643043f4ca5e4a9652bd61248bcd9569d178b81017f
Opcode Fuzzy Hash: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction Fuzzy Hash: C5817E715082419BDB20EF15C4849ABB3E8AFC9354F144C6FF885D7250EB39DD49CB6A

Function 00445BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00445C7A

Part of subcall function 00445D0A: GetClientRect.USER32(?,?), ref: 00445D30
Part of subcall function 00445D0A: GetWindowRect.USER32(?,?), ref: 00445D71
Part of subcall function 00445D0A: ScreenToClient.USER32(?,?), ref: 00445D99

GetDC.USER32 ref: 004846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00484708
SelectObject.GDI32(00000000,00000000), ref: 00484716
SelectObject.GDI32(00000000,00000000), ref: 0048472B
ReleaseDC.USER32(?,00000000), ref: 00484733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004847C4

Strings

U, xrefs: 00484693

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction ID: b6243a5f60f5ac163331f7952c2bda72984b2bd8d9ebeee4d4f63d540300dd59
Opcode Fuzzy Hash: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction Fuzzy Hash: 7F71F330400206DFDF21AF64C984ABE7BB1FF86324F14466BED515A2A6D7398842DF59

Function 004B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

^ ERROR, xrefs: 004B36C9
"%s" (%d) : ==> %s:, xrefs: 004B3742
Line %d (File "%s"):, xrefs: 004B366B
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3724
Error: , xrefs: 004B36EF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction ID: 89feca932b25eb1934f002c45981a3138d9e7feaa22e967ad3dd4ccbd8e43e3e
Opcode Fuzzy Hash: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction Fuzzy Hash: FC519471800509BAEF14EFA1CC81EEEBB74AF14705F14416AF50572191DB381B99DF69

Function 004BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC2CA
GetLastError.KERNEL32 ref: 004BC322
SetEvent.KERNEL32(?), ref: 004BC336
InternetCloseHandle.WININET(00000000), ref: 004BC341

Strings

, xrefs: 004BC2BB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction ID: d12884eb4a65cfe9831250f70e7a97f93005dc25e37f68aefdc3630dda6740db
Opcode Fuzzy Hash: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction Fuzzy Hash: 2D317171601205AFD7219F658CC4AEB7BFCEB49744B54852FF886D2200DB38DD059BB9

Function 004A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00483AAF,?,?,Bad directive syntax error,004DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004A98BC
LoadStringW.USER32(00000000,?,00483AAF,?), ref: 004A98C3

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004A9987

Strings

Line %d:, xrefs: 004A9912
Error: , xrefs: 004A9955
%s (%d) : ==> %s.: %s %s, xrefs: 004A98F1
Line %d (File "%s"):, xrefs: 004A992D
., xrefs: 004A996D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction ID: db3fadc2fa801c09b6b034043833da2a96834c0cff69deed8c4cfc9b732ae71c
Opcode Fuzzy Hash: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction Fuzzy Hash: 6821D23280020AFBDF11AF90CC4AEEE3739BF14704F04042BF515220A2EB389A28DB55

Function 004A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004A214D

Strings

largeicons, xrefs: 004A20E1
details, xrefs: 004A20FB
smallicons, xrefs: 004A2115
SHELLDLL_DefView, xrefs: 004A20CC
list, xrefs: 004A212F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction ID: 60df70ff62491273c9fff2d1bdf62acfe89a4f5d0518ed9aaacdb005b56aa79b
Opcode Fuzzy Hash: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction Fuzzy Hash: 8A11207668470775FA012625DD07DAB379CDF16314F20012BF705A51D1FEE9AC42691D

Function 0047CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0047CEB7
_free.LIBCMT ref: 0047CF22
_free.LIBCMT ref: 0047CF48
_free.LIBCMT ref: 0047CF71
_free.LIBCMT ref: 0047CFA9
_free.LIBCMT ref: 0047CFDA
_free.LIBCMT ref: 0047D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0047D09C
_free.LIBCMT ref: 0047D0B5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7512a94352c9d2d7db5226a3f5c9ec695be6c04f4991c868b0f733b4a0954bd9
Instruction ID: 8998aa18cf2f96a98cc445552d8a12f738e25ffa69d6fb7e681a71822c40bc0c
Opcode Fuzzy Hash: 7512a94352c9d2d7db5226a3f5c9ec695be6c04f4991c868b0f733b4a0954bd9
Instruction Fuzzy Hash: EB6167B1A04200AFCB21AFB5A8C1AEE7BA5AF01324F04C16FF94C973C1D67D99458798

Function 004D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004D5186
ShowWindow.USER32(?,00000000), ref: 004D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004D51D1

Part of subcall function 004D6FBA: DeleteObject.GDI32(00000000), ref: 004D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004D5296

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction ID: 271e8283f0750d73b841dcb81508e3844a960d5895b893f6e4f70c3c0d6d9416
Opcode Fuzzy Hash: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction Fuzzy Hash: 1751B030A40A09FEEF209F25CC69BD93B71EB05365F144057FA24963E1CB79A988DF49

Function 00458B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00496890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 00496901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 0049692D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction ID: 3d9d252fd6670256bf7d472955d5b17426a994a3c40cb45c316a390f91522449
Opcode Fuzzy Hash: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction Fuzzy Hash: 7A518B70600209EFDB20CF25CC91FAA7BB9FB54351F10452EF952A72A0DB78E955DB48

Function 004BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC182
GetLastError.KERNEL32 ref: 004BC195
SetEvent.KERNEL32(?), ref: 004BC1A9

Part of subcall function 004BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
Part of subcall function 004BC253: GetLastError.KERNEL32 ref: 004BC322
Part of subcall function 004BC253: SetEvent.KERNEL32(?), ref: 004BC336
Part of subcall function 004BC253: InternetCloseHandle.WININET(00000000), ref: 004BC341

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction ID: f9df2617791211eb2f39e988012895d8db24782670b1aa82498a0df620bffa4b
Opcode Fuzzy Hash: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction Fuzzy Hash: A5318D71A01602AFDB259FA59CC4AA7BBE9FF58300B00446FF95686610C734E810DBB8

Function 004A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004A2627

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction ID: 8631db7f7a30711a9c15e0dc5eb50f0979069d6aaad4fe4558ce54345911e352
Opcode Fuzzy Hash: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction Fuzzy Hash: 2E01B130691220BBFB106B699CCAF593F59EB5AB12F100016F318AE0D1C9E26444DA6E

Function 004A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004A1449,?,?,00000000), ref: 004A180C
HeapAlloc.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1828
GetCurrentProcess.KERNEL32(?,00000000,?,004A1449,?,?,00000000), ref: 004A1830
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1843
GetCurrentProcess.KERNEL32(004A1449,00000000,?,004A1449,?,?,00000000), ref: 004A184B
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A184E
CreateThread.KERNEL32(00000000,00000000,004A1874,00000000,00000000,00000000), ref: 004A1868

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction ID: bdf6b4eaa9eeae5254ed24fe74737f8e8b07cfa4fa553a3be1d1247a8ecd04ae
Opcode Fuzzy Hash: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction Fuzzy Hash: 4C01BFB5281315BFE710AB65DC8DF5B3B6CEB89B11F004421FA05DB1A1C6749C00CF24

Function 00473E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00473F0B
__alldvrm.LIBCMT ref: 0047410C
__alldvrm.LIBCMT ref: 0047412E

Strings

}}F, xrefs: 004740CD
}}F, xrefs: 00473E96, 00473EF1, 00473F0A, 00474090
}}F, xrefs: 00473E8A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}F$}}F$}}F
API String ID: 1036877536-383095928
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f3e6061c1718ba565ccc466e0c020b4cab50d8d097cf18c0bee654123dbbbaf0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: BCA13771A002869FDB11DE18C8917FEBBE4EFA1354F14816FE5999B381C33C9982C759

Function 004CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Part of subcall function 004AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Part of subcall function 004AD4DC: CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA16D
GetLastError.KERNEL32 ref: 004CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 004CA268
GetLastError.KERNEL32(00000000), ref: 004CA273
CloseHandle.KERNEL32(00000000), ref: 004CA2C4

Strings

SeDebugPrivilege, xrefs: 004CA18F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction ID: 2ff1938ce34f780f0a64fd94d7596f15b2ee2de312a4735abe33709841a61638
Opcode Fuzzy Hash: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction Fuzzy Hash: 2561BF342052429FE720DF15C494F16BBE1AF4431CF18849EE4568B7A3C77AEC49CB8A

Function 004D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D3954
_wcslen.LIBCMT ref: 004D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D39F4

Strings

SysListView32, xrefs: 004D38F7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction ID: 25a7ecb3745f3a40b8832d9d99d8b10ec833bf11532d6485dc218388bc3bb7af
Opcode Fuzzy Hash: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction Fuzzy Hash: D941C171A00209ABEF219F64CC55BEB7BA9EF08354F10056BF948E7381D7759D84CB98

Function 004ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ABCFD
IsMenu.USER32(00000000), ref: 004ABD1D
CreatePopupMenu.USER32 ref: 004ABD53
GetMenuItemCount.USER32(018F6BE0), ref: 004ABDA4
InsertMenuItemW.USER32(018F6BE0,?,00000001,00000030), ref: 004ABDCC

Strings

0, xrefs: 004ABCA8
2, xrefs: 004ABD37

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction ID: 3c5c0361c0a5841879fd5d04493612cb6da1e4210aa0e88315f0744e42ee0d3f
Opcode Fuzzy Hash: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction Fuzzy Hash: 2E51CD70A00205ABDF11CFB9D8C4BAEBBF5EF66314F14422BE4419B392D7789941CB99

Function 00462D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00462D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00462D53
_ValidateLocalCookies.LIBCMT ref: 00462DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00462E0C
_ValidateLocalCookies.LIBCMT ref: 00462E61

Strings

&HF, xrefs: 00462DFE, 00462E07, 00462E18
csm, xrefs: 00462DF6

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HF$csm
API String ID: 1170836740-2649640693
Opcode ID: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction ID: 875ed444d15d527e8af61c4012b13fae0218efa7271b61c8fe7120f7e3cf08dd
Opcode Fuzzy Hash: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction Fuzzy Hash: 7E41F834A00609BBCF10DF69C944ADFBBB4BF45319F14816BE8146B352E7B99A01CBD6

Function 004AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004AC913

Strings

stop, xrefs: 004AC8E4
blank, xrefs: 004AC895
question, xrefs: 004AC8CC
info, xrefs: 004AC8B4
warning, xrefs: 004AC8FC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction ID: 16b6ea95b1709cc9724e4b5dfe8e55fb97f2da5c576e3d4bc793332f902448f8
Opcode Fuzzy Hash: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction Fuzzy Hash: D3112B75789307BAEB416B549CC2CAF27DCEF26319B10002FF500A63C2E7AC5D0052AE

Function 004ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004ADE42
gethostname.WSOCK32(?,00000100), ref: 004ADE5C
gethostbyname.WSOCK32(?), ref: 004ADE69
inet_ntoa.WSOCK32(?), ref: 004ADEAB
_strcat.LIBCMT ref: 004ADEB9
WSACleanup.WSOCK32 ref: 004ADEDE

Strings

0.0.0.0, xrefs: 004ADE87

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f08be2e44bfe41d3bc652416644f04d2505dae82fab106979003b5751e4cd91b
Instruction ID: f3af1f278199b6cc1cbf7ac1cea5a57b0e4e061a83707dda274950cd125067ac
Opcode Fuzzy Hash: f08be2e44bfe41d3bc652416644f04d2505dae82fab106979003b5751e4cd91b
Instruction Fuzzy Hash: B9112471900106AFCB24AB319C4AEEF77ACDF22715F00017BF40696191FF788A81CA69

Function 004D9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetSystemMetrics.USER32(0000000F), ref: 004D9FC7
GetSystemMetrics.USER32(0000000F), ref: 004D9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004DA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004DA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004DA263
ShowWindow.USER32(00000003,00000000), ref: 004DA282
InvalidateRect.USER32(?,00000000,00000001), ref: 004DA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 004DA2CA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fbd755e1ab466d482bf0847fc694c41c649ca48ce43c343490ed376af1944b1f
Instruction ID: 440ce6ad8c40993317254c2d2818feecd50e0ba8c4dcb544fccd95fe798cbbd2
Opcode Fuzzy Hash: fbd755e1ab466d482bf0847fc694c41c649ca48ce43c343490ed376af1944b1f
Instruction Fuzzy Hash: 68B1BA31600215EBDF14CF69C9A57AE3BB2FF44701F0880ABEC459B395D739A950CB5A

Function 004AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004AED2A
_wcslen.LIBCMT ref: 004AED3B
_wcslen.LIBCMT ref: 004AED79
_wcslen.LIBCMT ref: 004AEDAF
_wcslen.LIBCMT ref: 004AEDDF
_wcslen.LIBCMT ref: 004AEDEF
_wcslen.LIBCMT ref: 004AEE2B
_wcslen.LIBCMT ref: 004AEE5A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction ID: 61089c29621f4c03c018c975eff2bf5c02497322de218c5e031bb2b1b370a7aa
Opcode Fuzzy Hash: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction Fuzzy Hash: 8C41B365D1021875DB11EBF6888A9CFB7A8AF46310F50846BE524E3161FB38E245C3AE

Function 0045F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0045F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F454

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction ID: a783f981f3eab997c494d709bb14b585c4ee7a8dcfc3491be260b677bcaca31f
Opcode Fuzzy Hash: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction Fuzzy Hash: 1D412D71104E40BACB348B29888876B7F91AB56316F54403FE84792762C63DA88DCB1F

Function 004D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004D2D1B
GetDC.USER32(00000000), ref: 004D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004D2DE1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction ID: da022ccd91059b4e424e5eb17b663db704d484db4083f15bb9dd614cd121231b
Opcode Fuzzy Hash: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction Fuzzy Hash: 15319F72202214BFEF114F50CC89FEB3BA9EF19715F044066FE089A291C6B59C41CBA8

Function 004A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5637
_memcmp.LIBVCRUNTIME ref: 004A5659
_memcmp.LIBVCRUNTIME ref: 004A5671
_memcmp.LIBVCRUNTIME ref: 004A5684
_memcmp.LIBVCRUNTIME ref: 004A569E
_memcmp.LIBVCRUNTIME ref: 004A56B1
_memcmp.LIBVCRUNTIME ref: 004A56C9
_memcmp.LIBVCRUNTIME ref: 004A56E4

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction ID: 005ae5f3177a376e18ccb004f5961deebc0fcb23072fc9ad72d40bf1aea8fc31
Opcode Fuzzy Hash: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction Fuzzy Hash: 4521AA61641A0577E22455114F92FFB335CAF32788F544027FD1A5AB41F72CED1581AE

Function 004C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 004C502E, 004C5383
Not an Object type, xrefs: 004C5007

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 02fbd16973a26255c9ff3738aebf222eb37a839a7bfa153247bff2a0a08e3b09
Instruction ID: a9f2bec09532a0655e3794246d5f6830b869d37bbe4be8ca48634e73a6e8b997
Opcode Fuzzy Hash: 02fbd16973a26255c9ff3738aebf222eb37a839a7bfa153247bff2a0a08e3b09
Instruction Fuzzy Hash: D0D1BF79A0060A9FDF50CF98C884FAEB7B5BF48344F14806EE915AB281D774ED81CB54

Function 00481522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 004815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00481651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004816FB

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00481777
__freea.LIBCMT ref: 004817A2
__freea.LIBCMT ref: 004817AE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction ID: fa4dccd8204f5dd146a8e28286fc9d4ce49fa7fdfc297254b883d7c7c22685ff
Opcode Fuzzy Hash: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction Fuzzy Hash: 6791B771E00216ABDB20AE64C881EEF7BB99F45314F184A5FE805E7261D73DCC42CB69

Function 004C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C4648
VariantInit.OLEAUT32(?), ref: 004C4749
VariantClear.OLEAUT32(?), ref: 004C4753
VariantClear.OLEAUT32(?), ref: 004C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 004C472C
Null Object assignment in FOR..IN loop, xrefs: 004C45D8, 004C4706, 004C47BE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 55c970fc8c2b92788b8e6ed23e0ec060e44d5dfc29106e925a2be5505a4de5d3
Instruction ID: 29f19847784d5d7a4d6f60b1afed354ba41887118bc72cf56a9dce0de3877e74
Opcode Fuzzy Hash: 55c970fc8c2b92788b8e6ed23e0ec060e44d5dfc29106e925a2be5505a4de5d3
Instruction Fuzzy Hash: AD91D234A00219ABDF60CFA5C994FAFBBB8EF85714F10815EF505AB280D7789945CFA4

Function 004B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B1430

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction ID: 3e29a73caaf2e29e2d8acd1ae114a487005196be0bc1ebb59270d384b97273b0
Opcode Fuzzy Hash: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction Fuzzy Hash: 22910371900219AFEB04DF95C8A4BFE77B5FF05315F10402BE900E72A1D778A946CBA9

Function 0045948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction ID: 74a8645b6ca3a0ca72b9aa6377109f8c0fc6ff87eb950cdc2085871ce9f207c8
Opcode Fuzzy Hash: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction Fuzzy Hash: 16912771900219EFCB11CFA9C884AEEBBB8FF49320F14415AE915B7252D378AD56CB64

Function 004C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C396B
CharUpperBuffW.USER32(?,?), ref: 004C3A7A
_wcslen.LIBCMT ref: 004C3A8A
VariantClear.OLEAUT32(?), ref: 004C3C1F

Part of subcall function 004B0CDF: VariantInit.OLEAUT32(00000000), ref: 004B0D1F
Part of subcall function 004B0CDF: VariantCopy.OLEAUT32(?,?), ref: 004B0D28
Part of subcall function 004B0CDF: VariantClear.OLEAUT32(?), ref: 004B0D34

Strings

Incorrect Parameter format, xrefs: 004C39A6, 004C3BA1
AUTOIT.ERROR, xrefs: 004C3A80, 004C3A85

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction ID: f81e04b5ae747fc4d50f04f812d9c8d912e0cfc5c3ea3939cfe3068846855698
Opcode Fuzzy Hash: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction Fuzzy Hash: CF917C796083019FC740DF25C48096AB7E4FF88319F14896EF88997352DB39EE05CB96

Function 004C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?,?,004A035E), ref: 004A002B
Part of subcall function 004A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0046
Part of subcall function 004A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
Part of subcall function 004A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?), ref: 004A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004C4C51
_wcslen.LIBCMT ref: 004C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004C4DCF
CoTaskMemFree.OLE32(?), ref: 004C4DDA

Strings

NULL Pointer assignment, xrefs: 004C4E23, 004C4E52

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction ID: a92ec6f2eeebdb90253cbe6a5a76e55c58ae88e86a68cdb47fd6447623d2d603
Opcode Fuzzy Hash: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction Fuzzy Hash: 61912671D00219AFDF10EFA5D890EEEB7B8BF48304F10856EE915A7251EB389A45CF64

Function 004D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004D2183
GetMenuItemCount.USER32(00000000), ref: 004D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D21DD
_wcslen.LIBCMT ref: 004D2213
GetMenuItemID.USER32(?,?), ref: 004D224D
GetSubMenu.USER32(?,?), ref: 004D225B

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D22E3

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b09723f5b22b62081e9719b0a53e07be125190fcd16de7f8dd6d87049f9848e1
Instruction ID: 1eb29127a43270096bd2fc703890d16d1accd9284dae8117433b47397054ab01
Opcode Fuzzy Hash: b09723f5b22b62081e9719b0a53e07be125190fcd16de7f8dd6d87049f9848e1
Instruction Fuzzy Hash: 8E71BF75A00215AFCB00DF65C991AAEB7F1EF58314F1484ABE816EB341D778EE42CB94

Function 004D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018F6EB0), ref: 004D7F37
IsWindowEnabled.USER32(018F6EB0), ref: 004D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 004D801E
SendMessageW.USER32(018F6EB0,000000B0,?,?), ref: 004D8051
IsDlgButtonChecked.USER32(?,?), ref: 004D8089
GetWindowLongW.USER32(018F6EB0,000000EC), ref: 004D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004D80C3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 749feb432ad6bfe31d0f0212d12fbe5c9e4a36a275d539fe3f4ddcdb719fcf42
Instruction ID: cfa82f2d9c4b1b4e2f09fb6d85c25dc28d4f4f631e20ee820c381c64dca322b5
Opcode Fuzzy Hash: 749feb432ad6bfe31d0f0212d12fbe5c9e4a36a275d539fe3f4ddcdb719fcf42
Instruction Fuzzy Hash: 6B719E34608204AFEB319F64C8A4FBBBBB5EF19300F14405FE955973A1DB39A845DB18

Function 004AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004AAEF9
GetKeyboardState.USER32(?), ref: 004AAF0E
SetKeyboardState.USER32(?), ref: 004AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004AB020

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction ID: 34b71844aad9456e71622ac18e9120943deb66be0a4762d1956c92165d82f850
Opcode Fuzzy Hash: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction Fuzzy Hash: 6751D2A16087D53DFB3642348C45BBBBEA99B17304F08848BF1D5455C3C39CA894D799

Function 004AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004AAD19
GetKeyboardState.USER32(?), ref: 004AAD2E
SetKeyboardState.USER32(?), ref: 004AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004AAE38

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction ID: b1e65f21ce83035a07029bb33c244386b57701b77e56a04236a3f084deb95884
Opcode Fuzzy Hash: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction Fuzzy Hash: 7A51E5A15447D13DFB3382248C85B7BBE995B67304F08848AE1D54A9C2C398ECA8D76A

Function 0047542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00483CD6,?,?,?,?,?,?,?,?,00475BA3,?,?,00483CD6,?,?), ref: 00475470
__fassign.LIBCMT ref: 004754EB
__fassign.LIBCMT ref: 00475506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00483CD6,00000005,00000000,00000000), ref: 0047552C
WriteFile.KERNEL32(?,00483CD6,00000000,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 0047554B
WriteFile.KERNEL32(?,?,00000001,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 00475584

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction ID: 40baae7a764fe4dd34d6ed3f700e3c6400a4d56e47c0465d07001c66f1f32300
Opcode Fuzzy Hash: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction Fuzzy Hash: 7651E6B0900649AFDB10CFA8D885AEEBBF9EF09300F14811FF959E7291D7749A45CB64

Function 004C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004C1112
WSAGetLastError.WSOCK32 ref: 004C1121
WSAGetLastError.WSOCK32 ref: 004C11C9
closesocket.WSOCK32(00000000), ref: 004C11F9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction ID: 47ffa7493e2015f64aa19a83b10b730bdadacdf65b648146cfaff894045f0197
Opcode Fuzzy Hash: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction Fuzzy Hash: 2B41D535600105AFDB109F14C884FAAB7E9EF46368F18815EFD159B292CB78ED41CBA9

Function 004ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

lstrcmpiW.KERNEL32(?,?), ref: 004ACF45
MoveFileW.KERNEL32(?,?), ref: 004ACF7F
_wcslen.LIBCMT ref: 004AD005
_wcslen.LIBCMT ref: 004AD01B
SHFileOperationW.SHELL32(?), ref: 004AD061

Strings

\*.*, xrefs: 004ACFF3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction ID: 392ac6026eeb3a22524224528d312c1bc87afe7fc8ef7bf82fcfc7fa6a892a5a
Opcode Fuzzy Hash: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction Fuzzy Hash: B6415871D451195FDF52EBA5C9C1ADEB7B8AF15344F0000EBE505EB141EB38AA44CB54

Function 004D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D2F0B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction ID: fcfbbe9f3a7f35c7ee366bc3b880ab5396c1a7dc80de23eddae060bdac864776
Opcode Fuzzy Hash: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction Fuzzy Hash: D4311530645151AFDB21CF18DDA4FA637E0EBAA711F1441A6FA108F3B1CBB5E844EB09

Function 004A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A778F
SysAllocString.OLEAUT32(00000000), ref: 004A7792
SysAllocString.OLEAUT32(?), ref: 004A77B0
SysFreeString.OLEAUT32(?), ref: 004A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004A77DE
SysAllocString.OLEAUT32(?), ref: 004A77EC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c7285b21c92dcbca624528a4d301aaa0776766f4d00b32c12203005cd933674
Instruction ID: d834d9d838939c2bccd77927589367021da2b976bec31c93e0498fbe242491d2
Opcode Fuzzy Hash: 2c7285b21c92dcbca624528a4d301aaa0776766f4d00b32c12203005cd933674
Instruction Fuzzy Hash: 7121C77A605219AFDF10DFA8CC84CBB77ACEB1A3647008127F904DB291D674EC45CB68

Function 004A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7868
SysAllocString.OLEAUT32(00000000), ref: 004A786B
SysAllocString.OLEAUT32 ref: 004A788C
SysFreeString.OLEAUT32 ref: 004A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004A78AF
SysAllocString.OLEAUT32(?), ref: 004A78BD

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fde7e71fc4c107838d5254e2a76b405179081c22a6d90ebe7c31c7fa08320942
Instruction ID: 58574808da0cbfdf40cb8d4d9d1eaa02c9caff67c5b7afd5d902c739162ff6cc
Opcode Fuzzy Hash: fde7e71fc4c107838d5254e2a76b405179081c22a6d90ebe7c31c7fa08320942
Instruction Fuzzy Hash: CE21A431609105AFDB20AFA8DC88DAB77ECEF19360710813AF915CB2A5D67CDC45CB68

Function 004B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B052E

Strings

nul, xrefs: 004B0567

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction ID: 94b8e1d95637bcbf618ee58becd51ff788a14973bbe5ec2d16f6b1caa4af6b28
Opcode Fuzzy Hash: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction Fuzzy Hash: B7218DB1500306AFDB309F69DC44ADB7BE4AF54725F204A2AF8A1D62E0D7749941CF38

Function 004B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B0601

Strings

nul, xrefs: 004B0639

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction ID: b18e9eac55d7f52dcf7a31eba5c66707712f81b450b70839d2619d75c6bc7e60
Opcode Fuzzy Hash: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction Fuzzy Hash: 3D217F75500306ABDB209F698C44ADB77E4BF95725F200B1AECA1E72E0D7749861CB28

Function 004D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004D4145

Strings

Msctls_Progress32, xrefs: 004D40E3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction ID: f69f012502aa063981a989bb5269bf26ec50392998d2356d6141488d885c4c8e
Opcode Fuzzy Hash: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction Fuzzy Hash: 121193B1150119BFEF118F64CC85EEB7F6DEF09798F014112B718A2190C6769C21DBA8

Function 0047D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0047D7A3: _free.LIBCMT ref: 0047D7CC

_free.LIBCMT ref: 0047D82D

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D838
_free.LIBCMT ref: 0047D843
_free.LIBCMT ref: 0047D897
_free.LIBCMT ref: 0047D8A2
_free.LIBCMT ref: 0047D8AD
_free.LIBCMT ref: 0047D8B8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 804389c3e41c50e3092ec096abba039725b34e916578a4ab36863824884e7bd9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D51181F1A50B04AAD531BFB2CC07FCBBBEC6F40704F44882EB29DA6092DA6CB5494654

Function 004ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004ADA74
LoadStringW.USER32(00000000), ref: 004ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004ADA91
LoadStringW.USER32(00000000), ref: 004ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004ADAB9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction ID: 8c8b13b5b8a3f2233f283526b221920a1c95ab5d42170351b8643db1df47f13f
Opcode Fuzzy Hash: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction Fuzzy Hash: B80162F29002197FEB109BA09DC9EEB376CE709701F4045A7B706E2041EA749E848F78

Function 004B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018EF910,018EF910), ref: 004B097B
EnterCriticalSection.KERNEL32(018EF8F0,00000000), ref: 004B098D
TerminateThread.KERNEL32(?,000001F6), ref: 004B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004B09A9
CloseHandle.KERNEL32(?), ref: 004B09B8
InterlockedExchange.KERNEL32(018EF910,000001F6), ref: 004B09C8
LeaveCriticalSection.KERNEL32(018EF8F0), ref: 004B09CF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction ID: 9f7172ae23fb9d0db2e95bf315e97fd0ea21d285f82abf9bc9784e8e49704f22
Opcode Fuzzy Hash: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction Fuzzy Hash: E5F01D71483513ABD7515B94EEC8BD67B25BF01702F401126F101908A0C7749465CFA8

Function 00445D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00445D30
GetWindowRect.USER32(?,?), ref: 00445D71
ScreenToClient.USER32(?,?), ref: 00445D99
GetClientRect.USER32(?,?), ref: 00445ED7
GetWindowRect.USER32(?,?), ref: 00445EF8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction ID: 72480a2ec9acf83b844885cf84cbf01574e8bbcb00171fe7afb2dfbd4f94d667
Opcode Fuzzy Hash: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction Fuzzy Hash: 30B16A78A0064ADBDF10DFA9C4806EEB7F1FF54310F14881AE8A9D7250D738AA51DB59

Function 004701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004700D6
__allrem.LIBCMT ref: 004700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047010B
__allrem.LIBCMT ref: 00470122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00470140

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 8a8774b65479ff81f8b32aeb959697c4ecd07da5f41e5d7322bf7996e4bbdb77
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 62811471A01706DBE724AA29DC41BAB73E8EF41328F24852FF554D7381E7B9D9008B99

Function 004C1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,004C101C,00000000,?,?,00000000), ref: 004C3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C1DE1
WSAGetLastError.WSOCK32 ref: 004C1DF2
inet_ntoa.WSOCK32(?), ref: 004C1E8C
htons.WSOCK32(?,?,?,?,?), ref: 004C1EDB
_strlen.LIBCMT ref: 004C1F35

Part of subcall function 004A39E8: _strlen.LIBCMT ref: 004A39F2

Part of subcall function 00446D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0045CF58,?,?,?), ref: 00446DBA
Part of subcall function 00446D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0045CF58,?,?,?), ref: 00446DED

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 7dc490251aaf75ca79d85c2bd2646c34cbfde84ecaa1e6392f76149486244bae
Instruction ID: ca8a2847cc84ffc41aa3e7961b915bd81ef9b0cccbd3704ed61b87c1586d9495
Opcode Fuzzy Hash: 7dc490251aaf75ca79d85c2bd2646c34cbfde84ecaa1e6392f76149486244bae
Instruction Fuzzy Hash: DDA1DE34104300AFD324EF25C881F2BB7A5AF86318F54895EF4565B2A3CB39ED46CB96

Function 004761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004682D9,004682D9,?,?,?,0047644F,00000001,00000001,8BE85006), ref: 00476258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0047644F,00000001,00000001,8BE85006,?,?,?), ref: 004762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004763D8
__freea.LIBCMT ref: 004763E5

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

__freea.LIBCMT ref: 004763EE
__freea.LIBCMT ref: 00476413

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction ID: 20addcb45620c3d18e578df516695351e0960e7c310a6fd9a0780419a31d9ded
Opcode Fuzzy Hash: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction Fuzzy Hash: DE510672600616ABDB259F74CC81EEF77AAEF44714F16862AFC09D6241DB38DC44C768

Function 004CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBD25
RegCloseKey.ADVAPI32(00000000), ref: 004CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CBDF3
RegCloseKey.ADVAPI32(?), ref: 004CBDFF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5f7e6aee9be01fe69871ac690a035b5b70ff9785051708e3f4a3313cdd231ac2
Instruction ID: 869207f936dda75d7b6bc8b350bcfa863f4f331a00f0e5929e38f6971bbf575f
Opcode Fuzzy Hash: 5f7e6aee9be01fe69871ac690a035b5b70ff9785051708e3f4a3313cdd231ac2
Instruction Fuzzy Hash: 4281A174208241AFD754DF24C886E2BBBE5FF84308F14895EF45A4B2A2DB35ED05CB96

Function 0049F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0049F7B9
SysAllocString.OLEAUT32(00000001), ref: 0049F860
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F889
VariantClear.OLEAUT32(0049FA64), ref: 0049F8AD
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F8B1
VariantClear.OLEAUT32(?), ref: 0049F8BB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction ID: 0e96e7a2286b37358978302b7170fa36509b667e24c9d413439ee043a2ecaa37
Opcode Fuzzy Hash: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction Fuzzy Hash: 4B51E571500310BADF10AB66D895B69BBA4EF45314B24847BE806DF292DB78CC49C7AF

Function 004B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004B94E5
_wcslen.LIBCMT ref: 004B9506
_wcslen.LIBCMT ref: 004B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 004B9585

Strings

X, xrefs: 004B9412

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a823d158dc0d7f61e7084ae3a90b15e082763a806dcaaed6a1767e0ebed1c614
Instruction ID: fc33dbc26a5e39ec74f57721e8582fc996a6fcaa2d91cacdcaf4c9ab1452db09
Opcode Fuzzy Hash: a823d158dc0d7f61e7084ae3a90b15e082763a806dcaaed6a1767e0ebed1c614
Instruction Fuzzy Hash: D8E194315083409FD724DF25C481A9BB7E0BF85318F14896EF9899B3A2DB35DD05CBA6

Function 0045920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

BeginPaint.USER32(?,?,?), ref: 00459241
GetWindowRect.USER32(?,?), ref: 004592A5
ScreenToClient.USER32(?,?), ref: 004592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004592D3
EndPaint.USER32(?,?,?,?,?), ref: 00459321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004971EA

Part of subcall function 00459339: BeginPath.GDI32(00000000), ref: 00459357

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction ID: dd045b17d98a7e904e7a1406f694cfd32e55d5ef9c8618be4c25c069dd5f42f4
Opcode Fuzzy Hash: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction Fuzzy Hash: 7241B030105301EFDB10DF25CC85FBA7BA8EB59325F04066AFE64872A2C7349C49DB6A

Function 004B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004B0847
EnterCriticalSection.KERNEL32(?), ref: 004B0863
LeaveCriticalSection.KERNEL32(?), ref: 004B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B0921

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6e13fb40079a0c156b7563a522a1d5e1282943aaf21e8759c697bc866bae3ade
Instruction ID: 7d505282309eacf58b106f1ba9a3a871465df72214dac83a2fcf77a7d95f5d5b
Opcode Fuzzy Hash: 6e13fb40079a0c156b7563a522a1d5e1282943aaf21e8759c697bc866bae3ade
Instruction Fuzzy Hash: A4416871900205EBDF14AF55DC85AAB77B8FF04305F1440AAED00AA297DB34DE68DBA8

Function 004D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0049F3AB,00000000,?,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 004D824C
EnableWindow.USER32(?,00000000), ref: 004D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004D82D1
ShowWindow.USER32(?,00000004), ref: 004D82E5
EnableWindow.USER32(?,00000001), ref: 004D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004D832F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction ID: 4dda4ff9f4f532e93b2cd8fab35a0e9d0f6a0309a71f9e075957fbe254f11ff0
Opcode Fuzzy Hash: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction Fuzzy Hash: E0417134601645AFDB11CF25CCA5BF57BE0BB0A715F1842EFEA184B362CB36A845CB58

Function 004A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004A4CEA
_wcslen.LIBCMT ref: 004A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004A4D10
_wcsstr.LIBVCRUNTIME ref: 004A4D1A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 20929e949129fc078ada40c3a5a6f243ab35b0969b168fb0b5068c1b8dd430c9
Instruction ID: 32d40bad69c6ad71967304679c1cf19ddec969ec7f7944f535f3a84abab70c75
Opcode Fuzzy Hash: 20929e949129fc078ada40c3a5a6f243ab35b0969b168fb0b5068c1b8dd430c9
Instruction Fuzzy Hash: B5210A316051017BEB155B359C49E7F7B9CDFD6750F10403FF805CA192EAA9DC01C265

Function 004B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

_wcslen.LIBCMT ref: 004B587B
CoInitialize.OLE32(00000000), ref: 004B5995
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B59AE
CoUninitialize.OLE32 ref: 004B59CC

Strings

.lnk, xrefs: 004B5876, 004B58C1, 004B5985

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction ID: cf24147f627aa88f744292aa4e359fe15088e3bace29697af8c3078ae3385c9a
Opcode Fuzzy Hash: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction Fuzzy Hash: 74D15471A087019FC714DF25C480A6ABBE1FF89718F14885EF8899B361D739EC45CBA6

Function 004A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
Part of subcall function 004A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
Part of subcall function 004A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
Part of subcall function 004A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

GetLengthSid.ADVAPI32(?,00000000,004A1335), ref: 004A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004A17BA
HeapAlloc.KERNEL32(00000000), ref: 004A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004A17DA
GetProcessHeap.KERNEL32(00000000,00000000,004A1335), ref: 004A17EE
HeapFree.KERNEL32(00000000), ref: 004A17F5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction ID: 976d4ca628bef872555c544b1ca0658c17fffc67f5813a53e7043c9163bdf345
Opcode Fuzzy Hash: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction Fuzzy Hash: A211D035501216FFDB109FA4CC89FAFBBB9EF52355F10402AF481A72A0C739A940CB68

Function 004A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004A1515
CloseHandle.KERNEL32(00000004), ref: 004A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004A1563

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction ID: 15ea8d859d0c465671aa0f3140cdcdf6b188f8fe3dbc65c85503299af5234cbc
Opcode Fuzzy Hash: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction Fuzzy Hash: 9B11297250120AABDF128F98DE89BDE7BA9EF49744F044126FA05A21A0C375CE61DB64

Function 00463382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00463379,00462FE5), ref: 00463390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0046339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004633B7
SetLastError.KERNEL32(00000000,?,00463379,00462FE5), ref: 00463409

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 59d1793bc317ec3a4fa333abecabb3b9697f695bd71e074ea7746c3993e5b273
Instruction ID: 5564d2cd645d4ee8fdadce5634438be60f8a9652e17869fc412d8015dc5ec08c
Opcode Fuzzy Hash: 59d1793bc317ec3a4fa333abecabb3b9697f695bd71e074ea7746c3993e5b273
Instruction Fuzzy Hash: 0C01F532609351BEEA242F75AC8956F2E54DB1677B320032FF811803F1FF195D15A14E

Function 00472D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00475686,00483CD6,?,00000000,?,00475B6A,?,?,?,?,?,0046E6D1,?,00508A48), ref: 00472D78
_free.LIBCMT ref: 00472DAB
_free.LIBCMT ref: 00472DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DEC
_abort.LIBCMT ref: 00472DF2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4c3fb8f6a3e3de05c69fb44b1fa74301a19c4bf64b36c201fbf2e573b1092f5c
Instruction ID: 29741c454269a0fc804e15d6f851d3e66cb89a8ab89a42e72dced2cc05025eab
Opcode Fuzzy Hash: 4c3fb8f6a3e3de05c69fb44b1fa74301a19c4bf64b36c201fbf2e573b1092f5c
Instruction Fuzzy Hash: 2AF0493150150037C63227397E06ADF1619AFC2365F24C51FF82C922D2DEAC8841912C

Function 004D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004D8A70
LineTo.GDI32(?,00000000,00000003), ref: 004D8A80
EndPath.GDI32(?), ref: 004D8A90
StrokePath.GDI32(?), ref: 004D8AA0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction ID: 879d9942a8ef9d6acfb98ed3872ea6ea06db535d15b9b0469ff273e25553ce45
Opcode Fuzzy Hash: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction Fuzzy Hash: 0411177600114DFFEF129F90DC88EEA7F6CEB08354F008066BA199A2A1C7719D55DFA4

Function 004A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A5230
ReleaseDC.USER32(00000000,00000000), ref: 004A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004A5261

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction ID: 843fc4c000778595a95891ad08ca1764b7578ec82991bca07192dea46f208f45
Opcode Fuzzy Hash: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction Fuzzy Hash: DC018F75A01719BBEF109BA69C89B4EBFB8EF48351F044076FA04A7280D6709800CFA4

Function 00441BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction ID: 2fc67f94d43fd28da8e938f7441fca47cbb14ae0c51f724563d231210af2015c
Opcode Fuzzy Hash: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction Fuzzy Hash: 160167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 004AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB75

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction ID: 7054845605fcb9c4d7f14d4bd4a228761581e58e61b844e4f67e71ce4ff4a0e9
Opcode Fuzzy Hash: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction Fuzzy Hash: 79F05472142169BBEB215B529C4DEEF7F7CEFCBB11F00016AF611D1191DBA05A01CAB9

Function 00497439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00497452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00497469
GetWindowDC.USER32(?), ref: 00497475
GetPixel.GDI32(00000000,?,?), ref: 00497484
ReleaseDC.USER32(?,00000000), ref: 00497496
GetSysColor.USER32(00000005), ref: 004974B0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction ID: f04e4643b0f4c4b5e92895c49a5107594a6ef7fdfe19b53a95548838e2490c6c
Opcode Fuzzy Hash: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction Fuzzy Hash: 8E018B31405216FFDB105FA4DC48BAE7FB5FB04311F100172F916A21A1CB311E42EB59

Function 004A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004A187F
UnloadUserProfile.USERENV(?,?), ref: 004A188B
CloseHandle.KERNEL32(?), ref: 004A1894
CloseHandle.KERNEL32(?), ref: 004A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A18A5
HeapFree.KERNEL32(00000000), ref: 004A18AC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction ID: 3d53e895ff4190afc8237d2857e3676783268a3ab1009ebf35200e3d3ccb2326
Opcode Fuzzy Hash: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction Fuzzy Hash: EBE0E536085112FBDB016FA1ED4C90ABF39FF49B22B108232F225810B0CB329420DF58

Function 0044BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0044BEB3

Strings

D%Q, xrefs: 0044BDED, 0044BD91, 0044BD1B
D%Q, xrefs: 0044BE9A
D%QD%Q, xrefs: 0044BCA5
D%Q, xrefs: 0044BCA2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%Q$D%Q$D%Q$D%QD%Q
API String ID: 1385522511-2675459294
Opcode ID: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction ID: 0ba7a8de2bb56d4c2ff83a37bdd18722cfed48367b30cee661fb2c7182108769
Opcode Fuzzy Hash: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction Fuzzy Hash: 3D9128B5A002068FDB18CF59C0D06AABBF2FB58314F24816ED945AB350E735E982DBD4

Function 004C7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C7BFB

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Strings

+TI, xrefs: 004C7E2E
5, xrefs: 004C7C78
G, xrefs: 004C7C7F
Variable must be of type 'Object'., xrefs: 004C7C3A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TI$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2135982235
Opcode ID: d0693f69d967bdbab489ae742c0b1af5d2d1dfcea90eaa35b88de408065be6b6
Instruction ID: d814add8410bfd73be9f32f71b532d404978eff9d7fa82c2419d420fa5cb2141
Opcode Fuzzy Hash: d0693f69d967bdbab489ae742c0b1af5d2d1dfcea90eaa35b88de408065be6b6
Instruction Fuzzy Hash: 2F918E78604209AFCB54EF55D891EAEB7B1BF48304F10805EF8065B392DB39AE45CF59

Function 004AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC6EE
_wcslen.LIBCMT ref: 004AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004AC7CA

Strings

0, xrefs: 004AC6AF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e5450091ef20b05d64f3b342d3553055a1380988fc11f9915a9095c2a3e0d8a0
Instruction ID: e9de0057a82d3101d306c3bf0d885291ea8b28e1133229dc707f52b5993a6edf
Opcode Fuzzy Hash: e5450091ef20b05d64f3b342d3553055a1380988fc11f9915a9095c2a3e0d8a0
Instruction Fuzzy Hash: F751F2756043029BD791DF28C8C5B6B77E4AF6A314F040A2FF991D2291DB68D844CB5E

Function 004CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004CAEA3

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetProcessId.KERNEL32(00000000), ref: 004CAF38
CloseHandle.KERNEL32(00000000), ref: 004CAF67

Strings

@, xrefs: 004CAE72
<, xrefs: 004CAE6B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 41151da05578dd00012091af4c10a8eea3ebe44ebc1000de10e40bd18a810dd6
Instruction ID: eb3454d2df6e9497d491bec623619317b1cf6e1e54fcbe778e461964d3bec5d4
Opcode Fuzzy Hash: 41151da05578dd00012091af4c10a8eea3ebe44ebc1000de10e40bd18a810dd6
Instruction Fuzzy Hash: 45717774A00619DFDB10EF55C484A9EBBF0EF08318F04849EE816AB392C778ED45CB99

Function 004A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004A72CF

Strings

DllGetClassObject, xrefs: 004A7242

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction ID: c6391443badf660c9680812f54962052c7dd08a41da0e738279d96f76e949374
Opcode Fuzzy Hash: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction Fuzzy Hash: 62418E72604204AFDB25CF54CC84B9A7BA9EF55310F1480AFFD059F24AD7B8D945CBA4

Function 004D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3E35
IsMenu.USER32(?), ref: 004D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3E92
DrawMenuBar.USER32 ref: 004D3EA5

Strings

0, xrefs: 004D3D89

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction ID: 6f42d7d2e0be1b43691b42970ae5d8c4c3969089ee4154642ef558c2161ee4d5
Opcode Fuzzy Hash: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction Fuzzy Hash: 40418875A01209EFDB10DF50D894AEABBB9FF48351F04412BE901AB390D338AE44CF55

Function 004A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 004A1EA9

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Strings

ListBox, xrefs: 004A1E25
ComboBox, xrefs: 004A1DF0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ad5dd05f16cb416e71c4cc882aa2a08b90f97b0f0645ea29cad23f12ee704af6
Instruction ID: 8062b52d5b2c8e71e972e48395cd1888bbb04a108106836093ac1577a3ca7879
Opcode Fuzzy Hash: ad5dd05f16cb416e71c4cc882aa2a08b90f97b0f0645ea29cad23f12ee704af6
Instruction Fuzzy Hash: 2921F671A00104AAEB14AB65DC86CFFB7B9DF56364F10412FF815A72E1DB3C4D0A9628

Function 004CC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004CC9F1
_wcslen.LIBCMT ref: 004CCA68
_wcslen.LIBCMT ref: 004CCA9E
_wcslen.LIBCMT ref: 004CCAF9
_wcslen.LIBCMT ref: 004CCB2F
_wcslen.LIBCMT ref: 004CCB7F

Strings

HKLM, xrefs: 004CCA98, 004CCA9D
HKEY_LOCAL_MACHINE, xrefs: 004CCA62, 004CCA67

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 506726882ab1321f8fa92e0faf6e266cb54a2cb5030ab49cc6214f0122ea348d
Instruction ID: d4f44ca2f23d891b77e659ab63d5aca697bcee00a4bfd937535a872a14ced96d
Opcode Fuzzy Hash: 506726882ab1321f8fa92e0faf6e266cb54a2cb5030ab49cc6214f0122ea348d
Instruction Fuzzy Hash: 8831397BA005698BCB60DF3D88C4BBF37915BA1784B05401FE849AB345F67BCD4493A8

Function 004D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004D2F8D
LoadLibraryW.KERNEL32(?), ref: 004D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004D2FA9
DestroyWindow.USER32(?), ref: 004D2FB1

Strings

SysAnimate32, xrefs: 004D2F68

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction ID: 69fc5b359d6b0e2a13b62caa9ddc6e2c35d8bf9d31ac1f74028bdf8afb82e4b9
Opcode Fuzzy Hash: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction Fuzzy Hash: 3F219D71204205ABEB104F64DD90EBB37B9EB69368F104A2FF950D2390D7B5DC51A768

Function 00464D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002), ref: 00464D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00464DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000), ref: 00464DC3

Strings

CorExitProcess, xrefs: 00464D98
mscoree.dll, xrefs: 00464D86

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction ID: b5cccaf866178dff355ca40e95ed31c07f5767f49721edb1756690f199d1f851
Opcode Fuzzy Hash: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction Fuzzy Hash: E6F0C230A01219FBDB109F91DC49BAEBFB8EF44752F0001AAF805A2260DF745D80DF99

Function 00444E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

Strings

kernel32.dll, xrefs: 00444E94
Wow64DisableWow64FsRedirection, xrefs: 00444EA8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction ID: 39f81a769c156fd04c0515c632d7469be6a33372fb770abbe9968e9c434623e5
Opcode Fuzzy Hash: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction Fuzzy Hash: 8DE08635A025339BE22117256C5CB5F6758AFC2B637150127FC00D2354DF68CD01C4A8

Function 00444E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00444E6E
kernel32.dll, xrefs: 00444E5B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction ID: 032ed8dc186aa5f1ede4550bf8e68155a515bc15e5fa9291530e4bd3d326e81d
Opcode Fuzzy Hash: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction Fuzzy Hash: EAD01235503A3357AA221B257C58F8F6B1CAFC6B613150627B905E7255DF68CD01C9DC

Function 004B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2C05
DeleteFileW.KERNEL32(?), ref: 004B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CC0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 84d510058d26d42299e5e7a5755186df637a0d562002bbd1149ebef26ed405d5
Instruction ID: 47793e12897cbf770b1800174fc7eca6335dd580bd72017748ef09ce128b468f
Opcode Fuzzy Hash: 84d510058d26d42299e5e7a5755186df637a0d562002bbd1149ebef26ed405d5
Instruction Fuzzy Hash: E5B17F72D00119ABDF11DFA5CD85EDEBBBDEF08344F0040ABF609E6151EA789A448F69

Function 004CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004CA468
CloseHandle.KERNEL32(?), ref: 004CA63D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction ID: 9711f706c4519f47684008f72a35ae953cd2308f277f9d694686834f59889f96
Opcode Fuzzy Hash: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction Fuzzy Hash: 8CA1B275604300AFE760DF15C886F2AB7E1AF44718F14881EF99A9B3D2D778EC058B86

Function 004AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

lstrcmpiW.KERNEL32(?,?), ref: 004AE473
MoveFileW.KERNEL32(?,?), ref: 004AE4AC
_wcslen.LIBCMT ref: 004AE5EB
_wcslen.LIBCMT ref: 004AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004AE650

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction ID: 897d3cd52eb352a1f64d2834dc765b13a8cde13c1b2585ad773e1d4c0173963b
Opcode Fuzzy Hash: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction Fuzzy Hash: 6F51A2B24083455BD724EBA1DC819DBB3DCAFA5344F00092FF699C3151EF78A588876E

Function 004CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004CBB63
RegCloseKey.ADVAPI32(?,?), ref: 004CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 004CBBB3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction ID: 2afbe340d09e01684d77cfad7e2fbd045d5f549aaa1c595d5eccc796e0c765a0
Opcode Fuzzy Hash: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction Fuzzy Hash: C7618B35208241AFD714DF14C891F2ABBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 004A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004A8BCD
VariantClear.OLEAUT32 ref: 004A8C3E
VariantClear.OLEAUT32 ref: 004A8C9D
VariantClear.OLEAUT32(?), ref: 004A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004A8D3B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction ID: 6928d5b730bd665ad8bd0613602d672ec2b6ef88de7596e7fb3fa46fdc0f1855
Opcode Fuzzy Hash: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction Fuzzy Hash: 8E518AB1A00219EFDB10CF28C884AAAB7F8FF99310B15856AE905DB350E734E911CF94

Function 004B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004B8C5F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 1b1165baad01358d777916e6b2a0bee0bf5020eab0d3ac721c7c9faac941582b
Instruction ID: 8dbb53c6182c20db45c80b15fb1031720733e16cb25c61f476f20f602aa80a4c
Opcode Fuzzy Hash: 1b1165baad01358d777916e6b2a0bee0bf5020eab0d3ac721c7c9faac941582b
Instruction Fuzzy Hash: DF516135A00215AFDB00DF65C881A6EBBF5FF49318F08845DE8496B362CB35ED51CB94

Function 004C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 004C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 004C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 004C9032
FreeLibrary.KERNEL32(00000000), ref: 004C9052

Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004B1043,?,753CE610), ref: 0045F6E6
Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0049FA64,00000000,00000000,?,?,004B1043,?,753CE610,?,0049FA64), ref: 0045F70D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction ID: b9db350ff910227d584071d7a27b4d34cca7c0eba4d41b9d86996a4a5a08e6c3
Opcode Fuzzy Hash: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction Fuzzy Hash: D2514B38601205EFD741DF59C484DAEBBB1FF49318B0480AEE8099B362DB35ED86CB95

Function 004D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004BAB79,00000000,00000000), ref: 004D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004D6CC7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction ID: beb019e79bc939d542b93bc3b5d33c18c21f86c39bef2c7b1235e94fb8b6d264
Opcode Fuzzy Hash: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction Fuzzy Hash: C7410635610114AFDB24CF28CCA8FAA7BA5EB09750F16026BF995A73E0C375ED41DA48

Function 00472051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004720C3
_free.LIBCMT ref: 004720E3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction ID: 858002681308a3c299a26272eef0e5f8f03e18d26878b291f943175413e649a6
Opcode Fuzzy Hash: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction Fuzzy Hash: C9410772A002009FCB20DF79C981A9EB7F1FF85314F15816AE609EB351D675AD05C795

Function 0045912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00459141
ScreenToClient.USER32(00000000,?), ref: 0045915E
GetAsyncKeyState.USER32(00000001), ref: 00459183
GetAsyncKeyState.USER32(00000002), ref: 0045919D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction ID: 45d1c7f9555b6bb2a9b00fa1ecb847902e0fb70681f8f061b8de6ede00ba29b5
Opcode Fuzzy Hash: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction Fuzzy Hash: 9A416E3190861BFBDF059F64C844BEEBB74FB05325F20822BE825A2391C7385D54CB59

Function 004B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004B3922
TranslateMessage.USER32(?), ref: 004B394B
DispatchMessageW.USER32(?), ref: 004B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction ID: 2b84c158a0598ce82062e6dcaef4fbbec360e06a0c1dd47e41d238d7c0f57a14
Opcode Fuzzy Hash: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction Fuzzy Hash: 4931BDB0504742AEEF35CF369848BF737E49B15305F04456FD562C22A0E7B8A689DB39

Function 004BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFF2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2ce330e462472d883ccf06ba1077323ec05ed523c0aaf026bb7414921e47e389
Instruction ID: 21ead6be47b2dd18e2fea094691d226204665ab19b482cc22d234b4c166bb2f4
Opcode Fuzzy Hash: 2ce330e462472d883ccf06ba1077323ec05ed523c0aaf026bb7414921e47e389
Instruction Fuzzy Hash: 67314D71A00206AFDB20DFA5C8C49BBBBFAEB14355B1044AFF506D2281D738AD45DB68

Function 004A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004A19E2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction ID: e95b92b144b017121951110cdc9aa9aa7428a3a27df9a4c4f5f14f9b4e859331
Opcode Fuzzy Hash: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction Fuzzy Hash: 1031C2B1900219EFCB00CFA8CD99ADF3BB9EB15315F10422AF921AB2E1C7749954CB94

Function 004D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004D579D
_wcslen.LIBCMT ref: 004D57AF
_wcslen.LIBCMT ref: 004D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction ID: 58cf9e6dc0495556f3c8e2c04c24169b0ba0f34aab9745ee4d30e30f7155c49d
Opcode Fuzzy Hash: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction Fuzzy Hash: 6F21A771904618DADB20DF64CC94AEE77B8FF05324F10815BF919DA380DB748985CF59

Function 004C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C0951
GetForegroundWindow.USER32 ref: 004C0968
GetDC.USER32(00000000), ref: 004C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 004C09B0
ReleaseDC.USER32(00000000,00000003), ref: 004C09E8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction ID: e21860a37239595613a8fd74549e2308db0496ef641bf6ec70afca60ad345206
Opcode Fuzzy Hash: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction Fuzzy Hash: 3B215E75600214AFD744EF65C984AAEBBE5EF44744F04846EE84A97362CA34EC04CB94

Function 0047CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0047CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047CDE9

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047CE0F
_free.LIBCMT ref: 0047CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047CE31

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction ID: 7ec8fcaa3ff830aec889c0649b52ebb2e5422a3d7949cb89c80289662a25ad5c
Opcode Fuzzy Hash: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction Fuzzy Hash: C501D8726026157F272116B66CC8CBF6A6DDFC6BA1315812FFD09C7200DA688D0281B9

Function 00459639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
SelectObject.GDI32(?,00000000), ref: 004596A2
BeginPath.GDI32(?), ref: 004596B9
SelectObject.GDI32(?,00000000), ref: 004596E2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction ID: eda12c50c749bd8939734da0ce962ed544f2cae061badbff61760bded230865c
Opcode Fuzzy Hash: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction Fuzzy Hash: C2217130802706EBDB119F64DC557EE7BA5BB20316F108267F920961A1D3785C5DDF9C

Function 004A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5726
_memcmp.LIBVCRUNTIME ref: 004A5744
_memcmp.LIBVCRUNTIME ref: 004A5757
_memcmp.LIBVCRUNTIME ref: 004A576F
_memcmp.LIBVCRUNTIME ref: 004A5787

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction ID: b7a427bcda0dbcb53ba0bfce7455c1b2e2b7b28630cf46cd425e426177da6559
Opcode Fuzzy Hash: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction Fuzzy Hash: 29012669240A04BAA21851118E42FFB234C9B323A8F144037FD06AAB41F72CED1082AE

Function 00472DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6), ref: 00472DFD
_free.LIBCMT ref: 00472E32
_free.LIBCMT ref: 00472E59
SetLastError.KERNEL32(00000000,00441129), ref: 00472E66
SetLastError.KERNEL32(00000000,00441129), ref: 00472E6F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 066785fde3bf32191ae901c1cfb110fcf6be25e9c168a5fab35c8a94b2316742
Instruction ID: b342478b09e43f567c51bdbfc38e7e1297f4a91df7d4f2e52f57303b5e7675b9
Opcode Fuzzy Hash: 066785fde3bf32191ae901c1cfb110fcf6be25e9c168a5fab35c8a94b2316742
Instruction Fuzzy Hash: C301497224160077C61227352E85DEB265DABD5379B24C02FF82CA22D3EFEC8C45902C

Function 004A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?,?,004A035E), ref: 004A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?), ref: 004A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0070

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction ID: efd20aa6bc9e0810138c0ee0a2149bbbdd4274dd76a7d21996da54bdd8fc54eb
Opcode Fuzzy Hash: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction Fuzzy Hash: 7B01DBB2605205BFDB105F68EC84FAB7BAEEB58392F104126F901E2210E778CD00DBA4

Function 004AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004AE9A5
Sleep.KERNEL32(00000000), ref: 004AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004AE9B7
Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction ID: 125b6d0e9ef8b1d171f45e30b7e483f02d2f84bb112c9b59db4f9e4e3f76545d
Opcode Fuzzy Hash: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction Fuzzy Hash: BC015E71C01629DBCF009BE6D9896DEBB78BB1A300F000557D512B2280CB345551CB69

Function 004A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction ID: 0ff613c46cd3df26d405c9579ac427b82874471ef4583c0c23bb494a8868b0aa
Opcode Fuzzy Hash: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction Fuzzy Hash: F2011975201216BFDB114FA5DC89A6B3B6EEF8A3A4B20442AFA45D7360DA31DC00DA64

Function 004A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction ID: e17e0d8f00677d79dd1b8e87eb12ecb418ddba6be4004071de9844e1e3ab2597
Opcode Fuzzy Hash: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction Fuzzy Hash: BAF06D35241312EBEB214FA4DC8DF5B3BADEF8A762F114426FA45D72A1CA74DC40CA64

Function 004A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction ID: 716b2252bca9087fce3a3c4f14a2d310f9ab97b96bada927df80d192b5a3b4ce
Opcode Fuzzy Hash: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction Fuzzy Hash: 87F06235141312EBDB225FA4EC89F5B3B6DEF8A761F110426F945D72A0CA74D840CA64

Function 004B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0324
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0331
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B033E
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B034B
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0358
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0365

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction ID: baf1438ff7e6ca38d5065130e5bbdf2e228e9fa6ea546432583a3500faae1d0b
Opcode Fuzzy Hash: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction Fuzzy Hash: A601EE72800B058FCB30AF66D880843FBF9BF603063049A3FD19252A30C3B4A988CF94

Function 0047D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0047D752

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D764
_free.LIBCMT ref: 0047D776
_free.LIBCMT ref: 0047D788
_free.LIBCMT ref: 0047D79A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction ID: 44cc389e7f607fb351514d9eb1291057d6996fb77180a364c7f48df3a27e2005
Opcode Fuzzy Hash: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction Fuzzy Hash: DBF036F251020457C625E765F9C2C9B7BEDBF45310B98880AF14DE7502C728FC84466C

Function 004A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004A5C6F
MessageBeep.USER32(00000000), ref: 004A5C87
KillTimer.USER32(?,0000040A), ref: 004A5CA3
EndDialog.USER32(?,00000001), ref: 004A5CBD

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction ID: 698de01f7a73d9c92982753ead982fa21416b4c6b5a005ed421d7865272dfc6a
Opcode Fuzzy Hash: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction Fuzzy Hash: ED018B305017059BFB205B10DE8EF9677B8FB11705F00166BA543A14E1D7F4A944CA59

Function 004722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004722BE

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 004722D0
_free.LIBCMT ref: 004722E3
_free.LIBCMT ref: 004722F4
_free.LIBCMT ref: 00472305

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction ID: 93e023ed3bb41a0002f92b686a8870a9c4a9c0d273fabfe16e51a71e4cc346f1
Opcode Fuzzy Hash: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction Fuzzy Hash: 76F01DF85015108BC612AF65AD028CD7E64BB39750B05D64BF518D22B1C7B904DABAAC

Function 004595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004595D4
StrokeAndFillPath.GDI32(?,?,004971F7,00000000,?,?,?), ref: 004595F0
SelectObject.GDI32(?,00000000), ref: 00459603
DeleteObject.GDI32 ref: 00459616
StrokePath.GDI32(?), ref: 00459631

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction ID: 6e4e42c85efc4352b968b89ac8c70058478555dc6e53e3f4396fbf5ef8f38b2f
Opcode Fuzzy Hash: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction Fuzzy Hash: 4EF03C31006A09EBDB165F65ED5C7A93B61AB10322F04C266FA25551F1C73489ADEF2C

Function 00470F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004710F9
__freea.LIBCMT ref: 00471117

Part of subcall function 00471537: _free.LIBCMT ref: 0047154F

Strings

a/p, xrefs: 004711DE
am/pm, xrefs: 0047117A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction ID: cc8f07359c9cf1f880bdcdf81cc7a4d9c09c91c6372003f068ea5dbaa13e8003
Opcode Fuzzy Hash: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction Fuzzy Hash: 3DD1F231900245CAEB249F6CC895BFBB7B4EF05304F28815BE909ABB61D37D9D81CB59

Function 004C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C6238

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Part of subcall function 004B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4
Part of subcall function 004B359C: LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

x#Q, xrefs: 004C636F
x#Q, xrefs: 004C633A
x#Q, xrefs: 004C6353

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#Q$x#Q$x#Q
API String ID: 1072379062-530750269
Opcode ID: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction ID: 2bb6a7a682444ce94b255ffcfe83778f06d9648d25b0ad46c9e0b4792dd7693f
Opcode Fuzzy Hash: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction Fuzzy Hash: 23C19B75A00105AFDB14EF98C890EBEB7B9FF48304F11806EE9059B291DB78ED45CB99

Function 00475AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOD, xrefs: 00475BA8, 00475C6C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: JOD
API String ID: 0-2216429383
Opcode ID: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction ID: 855c4581019b82349fb6a31fab86fb240dea39272188df046d2daf10b22c89ed
Opcode Fuzzy Hash: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction Fuzzy Hash: B351CF71D006099FCB219FA5C945BFFBBB8AF05314F14805BE408AF291D7B99902CB6A

Function 00478A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00478B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00478B7A
__dosmaperr.LIBCMT ref: 00478B81

Strings

.F, xrefs: 00478A63

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .F
API String ID: 2434981716-907655787
Opcode ID: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction ID: 89f20480cfb91b8fa959483c8b1a0294a35305fb488c2de2e28d9f11ce4b9366
Opcode Fuzzy Hash: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction Fuzzy Hash: 2F417E70504045AFCB249F25C889AFE7F95DB85304F18C1AFF48D87642DE359C439798

Function 004A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21D0,?,?,00000034,00000800,?,00000034), ref: 004AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004A2760

Part of subcall function 004AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004AB3F8

Part of subcall function 004AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004AB355
Part of subcall function 004AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB365
Part of subcall function 004AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A281A

Strings

@, xrefs: 004A2832

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction ID: 308108c89327fdb953ec663836991787bcc0bda5ca88cc80faa3442a708648ca
Opcode Fuzzy Hash: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction Fuzzy Hash: 2D413D76900218AFDB10DFA4CD81AEEBBB8EF1A304F00405AFA55B7191DB746E45DBA4

Function 0047172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00471769
_free.LIBCMT ref: 00471834
_free.LIBCMT ref: 0047183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00471760, 00471767, 00471796, 004717CE

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction ID: ffddac4f1815a84a41f564336a27954c514de69aa9bc1a332953554b2c5eea52
Opcode Fuzzy Hash: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction Fuzzy Hash: 6F319575A00218ABDB21DF9A9881DDFBBFCEB95310B1481ABE50897221D6748A44CB99

Function 004AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00511990,018F6BE0), ref: 004AC395

Strings

0, xrefs: 004AC2DF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction ID: bcb5ffec9493530bc2ce7132751c4c935d32c63eae30356223bcce357727110b
Opcode Fuzzy Hash: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction Fuzzy Hash: 1741A071208301AFDB20DF25D884B1BBBE8AF96314F04861EFDA5973D1D778A904CB5A

Function 004D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004DCC08,00000000,?,?,?,?), ref: 004D44AA
GetWindowLongW.USER32 ref: 004D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D44D7

Strings

SysTreeView32, xrefs: 004D447C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction ID: 829c795f959bfcad38e3dc4dc2013eda93e5db7b3bee69ba2e5a1bc21c63a922
Opcode Fuzzy Hash: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction Fuzzy Hash: 07317E31210605AFDF208E38DC95BEB77A9EB49328F20472BF975922D0D778EC919754

Function 004A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004A6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004A6F08
VariantClear.OLEAUT32(?), ref: 004A6F12

Strings

*jJ, xrefs: 004A6E8B, 004A6E90, 004A6EF8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jJ
API String ID: 2173805711-3279958407
Opcode ID: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction ID: 4d4754c35082ee077d59e2f2dffa684f2120e4ed7f44f03dcdce567146c12476
Opcode Fuzzy Hash: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction Fuzzy Hash: C931D171704205DFDB04AFA5E8909BE77B6EF92308B1504AEF8064B2A1C738D912CBD9

Function 004C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004C3077,?,?), ref: 004C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
_wcslen.LIBCMT ref: 004C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 004C3106

Strings

255.255.255.255, xrefs: 004C3095, 004C309A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction ID: f3acfe79123c2eeb759f278ffa78b72ba8fbfcafc0702058d9365466f6083846
Opcode Fuzzy Hash: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction Fuzzy Hash: 3731B23A2002019FDB50DF29C485FAA77E0EF54319F28C05EE9158B392DB7AEE45C765

Function 004D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D3F78

Strings

SysMonthCal32, xrefs: 004D3F0B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2b46f14ab70b2c672dfe24b83a7a899f9e4f9e3d8619e6ce5e1b95c8ba2d18fc
Instruction ID: bbf97a22042148e17f555d23b8dbfa04ec8725639538e1fbb178c1cb050c10d5
Opcode Fuzzy Hash: 2b46f14ab70b2c672dfe24b83a7a899f9e4f9e3d8619e6ce5e1b95c8ba2d18fc
Instruction Fuzzy Hash: 7021BF32600219BFDF118F50CC96FEB3B79EB49718F11021AFA156B2D0D6B5AC50CB94

Function 004D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004D471A

Strings

msctls_updown32, xrefs: 004D4684

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction ID: eeca0fdf0b13e5eefb0ba95d9376207a5e6c56eadc571a621743be02dab8851c
Opcode Fuzzy Hash: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction Fuzzy Hash: A92151B5600209AFDB10DF65DCD1DBB37ADEB9A398B04005BF6009B391CB75EC11DA64

Function 004A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A961D

Strings

#OnAutoItStartRegister, xrefs: 004A95F3
#requireadmin, xrefs: 004A95D9
#notrayicon, xrefs: 004A95B7

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7ea11e98f576be9cadce9f01d225f179c686541e0dd2d20aced89eaf5fa46842
Instruction ID: 80e38fbf8443115e0d173aee05e7419fb459e36931e2edfd5f1fa0028beb1319
Opcode Fuzzy Hash: 7ea11e98f576be9cadce9f01d225f179c686541e0dd2d20aced89eaf5fa46842
Instruction Fuzzy Hash: 5721357260421066D331AA26DC02FBB73D89FB6314F14442FFA4A97281EB5DAD56C29E

Function 004D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D3876

Strings

Listbox, xrefs: 004D380F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction ID: 13a74f170518cd82caec1cf9b5e3600b3b25bf587dff94147f57ad1244dc1713
Opcode Fuzzy Hash: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction Fuzzy Hash: 3E210472600119BBEF219F54CC85FBB37AEEF89754F008126F9009B290C675DC12D7A4

Function 004B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004B4A5C
SetErrorMode.KERNEL32(00000000,?,?,004DCC08), ref: 004B4AD0

Strings

%lu, xrefs: 004B4A6F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction ID: 5b683f470ff01471fe4b6c1df3b17ee86dfcc22a2e39b00770b1aca981ebcb21
Opcode Fuzzy Hash: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction Fuzzy Hash: 87318E74A00109AFDB10DF54C885EAE7BF8EF48308F1480AAE909DB352D775ED46CB65

Function 004D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004D4271

Strings

msctls_trackbar32, xrefs: 004D4226

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction ID: 50127a500a8c5dc359579f458cd6727c291108e999354b6154d191939e34735f
Opcode Fuzzy Hash: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction Fuzzy Hash: DD11E331240208BFEF205F29CC46FAB3BACEF95B64F11012AFA55E2290D675D8119B28

Function 004A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Part of subcall function 004A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
Part of subcall function 004A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
Part of subcall function 004A2DA7: GetCurrentThreadId.KERNEL32 ref: 004A2DDD
Part of subcall function 004A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

GetFocus.USER32 ref: 004A2F78

Part of subcall function 004A2DEE: GetParent.USER32(00000000), ref: 004A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004A2FC3
EnumChildWindows.USER32(?,004A303B), ref: 004A2FEB

Strings

%s%d, xrefs: 004A2FFF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction ID: 0bc569bf23bae8173d30bd299ca2a18b37f34c2932f8fc508cf0beed64782ca7
Opcode Fuzzy Hash: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction Fuzzy Hash: EB11D5712002056BDF107F658CC5EEE376AAF95309F04407BFD099B292EE789909DB68

Function 004D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58EE
DrawMenuBar.USER32(?), ref: 004D58FD

Strings

0, xrefs: 004D588F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 6740191558a90a6fbadfb41f7670b6661c1e0d5a528cc229cb2b0729cac9dfcc
Instruction ID: b04b5bece51d957a0a8ee0f12f005dafe6927a80aa7729fed8fcb87a759f746c
Opcode Fuzzy Hash: 6740191558a90a6fbadfb41f7670b6661c1e0d5a528cc229cb2b0729cac9dfcc
Instruction Fuzzy Hash: 3301A171500218EFDB109F11DC55BAFBBB4FB45361F0080ABE848D6251DF348A85DF2A

Function 0049D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0049D3BF
FreeLibrary.KERNEL32 ref: 0049D3E5

Strings

X64, xrefs: 0049D2A8
GetSystemWow64DirectoryW, xrefs: 0049D3B9

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction ID: c582575667fc07682611908234fa714cbd58bb43cd1f9925d339bd4a92fc2ebc
Opcode Fuzzy Hash: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction Fuzzy Hash: DAF0EC21D06A2297DF7557104C989AE3F14AF11742B9486B7EC02E524DDB1CCD45C69F

Function 004A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction ID: 98626709552b6c92df0f29a06992de049f92cd37a9c09b77a91bcad73a023377
Opcode Fuzzy Hash: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction Fuzzy Hash: 37C16B75A0020AEFCB14CFA4C894BAEB7B5FF59304F20859AE805EB251D735ED42CB94

Function 004C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004C3459
CoUninitialize.OLE32 ref: 004C3463
VariantInit.OLEAUT32(?), ref: 004C346E
VariantClear.OLEAUT32(?), ref: 004C371B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction ID: 7e86fce399edd4b75eb98e23bb1f2809f3d1c2d6beb8e6de4bf329f6e420d8c2
Opcode Fuzzy Hash: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction Fuzzy Hash: D4A16E79604210AFD710DF25C485E1AB7E4FF88719F04885EF94A9B362DB38ED05CB59

Function 004A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A0608
CLSIDFromProgID.OLE32(?,?,00000000,004DCC40,000000FF,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A062D
_memcmp.LIBVCRUNTIME ref: 004A064E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction ID: a982c96c7781af07c8f0c91e66fa6bd8a67aff6888e3d06469d274ad82e1960a
Opcode Fuzzy Hash: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction Fuzzy Hash: A0814A71A00109EFCB04DF94C988EEEB7B9FF9A315F204159F506AB250DB75AE06CB64

Function 004CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 004CA6BA

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Process32NextW.KERNEL32(00000000,?), ref: 004CA79C
CloseHandle.KERNEL32(00000000), ref: 004CA7AB

Part of subcall function 0045CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00483303,?), ref: 0045CE8A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 069d06b235669fb803b01a31d7ba022bb839342af2f2f166d205b79d1d9ae474
Instruction ID: 286eea78f7ebc1037b3ca36e03b34f0a1ff119c2932cfc6224ccd6c25f19aa7b
Opcode Fuzzy Hash: 069d06b235669fb803b01a31d7ba022bb839342af2f2f166d205b79d1d9ae474
Instruction Fuzzy Hash: F4516E75508301AFD710EF25C886E6BBBE8FF89758F00492EF98597252EB34D904CB96

Function 00481391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004814C0

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 175d349b275fde42403e49eeed0190081a4478ae6eaed9000366fdee04815883
Instruction ID: 6f2dbfc4c082461a509bfd37ce96e1ab68ee3a353328b9f41e692deec3ae0c31
Opcode Fuzzy Hash: 175d349b275fde42403e49eeed0190081a4478ae6eaed9000366fdee04815883
Instruction Fuzzy Hash: 2F417071A001006BDB217BBA9C45ABF3BACEF41734F144A6BF418C62B1E67C4843576E

Function 004D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D62E2
ScreenToClient.USER32(?,?), ref: 004D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004D6382

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction ID: cd0f5c1c45702ed9e3acacddbf467c15daf66712b0086820a72fa60944cff3a8
Opcode Fuzzy Hash: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction Fuzzy Hash: CF514A74A00209AFCF10DF68D8909AE7BB5EF55360F11826BF9259B390D734ED41CB94

Function 004C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004C1AFD
WSAGetLastError.WSOCK32 ref: 004C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004C1B8A
WSAGetLastError.WSOCK32 ref: 004C1B94

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction ID: d4f162c6049bd760763204c078b893079eb55226a702b7b7ccfa4f0031050f97
Opcode Fuzzy Hash: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction Fuzzy Hash: 9041D538600201AFE720AF21C886F2677E5AB45718F54845EF9169F3D3E77AED42CB94

Function 0047B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction ID: 998abe61d2193a6ab3bb89d55d15a32d2e64759f45128d90db0549c27154fc19
Opcode Fuzzy Hash: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction Fuzzy Hash: 2341E671A00704BFD724AF39C841BAABBA9EB84714F10852FF549DB292D779994187C4

Function 004B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004B5783
GetLastError.KERNEL32(?,00000000), ref: 004B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004B57FA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction ID: 320549d413e82f32af03376d58cc566e6a1bd7fa0bf839db32533621b2b93766
Opcode Fuzzy Hash: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction Fuzzy Hash: 8D414135600610DFDB11EF16C584A5EBBE1EF49319B18889AEC4A5F361CB38FD01CB95

Function 0047D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00466D71,00000000,00000000,004682D9,?,004682D9,?,00000001,00466D71,?,00000001,004682D9,004682D9), ref: 0047D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0047D9AB
__freea.LIBCMT ref: 0047D9B4

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction ID: 98a71480fb4f13076a837ad5b3108f33b4284f82f1c86bca29e39467fcffc922
Opcode Fuzzy Hash: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction Fuzzy Hash: E531DFB2A1021AABDB249F65DC41EEF7BB5EF40310F05826AFD0896250E739CD50CB95

Function 004D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004D5352
GetWindowLongW.USER32(?,000000F0), ref: 004D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D53A8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction ID: a49919a1f5e09118e2096183bc1c00c0845a6718d91db8f1dbc11d4f76e5938f
Opcode Fuzzy Hash: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction Fuzzy Hash: CF31E330A55A08EFEB309F14CC65BEA3761AB05390F584103FE10963E1CFB8AD50EB4A

Function 004AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 004AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004AAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 004AACC6

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction ID: 40043c2a0c3c661470ce19e209218f9fca30a6ec91bb5bb8bbface2ae7e58682
Opcode Fuzzy Hash: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction Fuzzy Hash: 4F311670A006186FFF35CB6588087FB7BA6ABA7330F04421BE481922D1C37D89A1C75A

Function 004D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004D769A
GetWindowRect.USER32(?,?), ref: 004D7710
PtInRect.USER32(?,?,004D8B89), ref: 004D7720
MessageBeep.USER32(00000000), ref: 004D778C

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction ID: 8f3a65c4a8ff03e7a759bd4d1f5725d529b9a937930d519c53d682d88f4dd903
Opcode Fuzzy Hash: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction Fuzzy Hash: 34419C34A092159FCB01CF58C8A8EA977F4BB49314F1885ABE5249B361E338F945CF98

Function 004D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004D16EB

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

GetCaretPos.USER32(?), ref: 004D16FF
ClientToScreen.USER32(00000000,?), ref: 004D174C
GetForegroundWindow.USER32 ref: 004D1752

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction ID: 0a04db13fd0ee4e6d4adf26e5b4dc06a50121e452adf452a93ae64d024ab87af
Opcode Fuzzy Hash: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction Fuzzy Hash: D8315E75D01249AFD700DFAAC8C18AEB7F9EF49308B5480ABE415E7211E7359E45CBA4

Function 004D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetCursorPos.USER32(?), ref: 004D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00497711,?,?,?,?,?), ref: 004D9016
GetCursorPos.USER32(?), ref: 004D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00497711,?,?,?), ref: 004D9094

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction ID: 13b8a4e9fc8e3f57add1d32b8bfe3de1062370f23f9fcf4f1cabd224e5859f1e
Opcode Fuzzy Hash: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction Fuzzy Hash: 38219E31600018FFDB169F94D8A8EEA3BB9EF49350F0481ABF9058B361C3359D50DB64

Function 004AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004DCB68), ref: 004AD2FB
GetLastError.KERNEL32 ref: 004AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004DCB68), ref: 004AD376

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction ID: 1a56ec8e2de61954e0d0b8e79fb5e106c3b73b29e309e54118aa7ecd19b79cd3
Opcode Fuzzy Hash: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction Fuzzy Hash: D72194709052019F8B00DF29C88146F77E4AF66358F104A6FF896C76A1D734DD46CB9B

Function 004A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
Part of subcall function 004A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
Part of subcall function 004A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
Part of subcall function 004A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004A15BE
_memcmp.LIBVCRUNTIME ref: 004A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A1617
HeapFree.KERNEL32(00000000), ref: 004A161E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction ID: 7dcdc3a462846f7a98e1eb8cc9406d212eb466ef1673c32e2a142dd7fd6fde4f
Opcode Fuzzy Hash: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction Fuzzy Hash: A3219D31E41109EFDF00DFA4C945BEFB7B8EF56344F08445AE441AB261E738AA05CBA4

Function 004D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D2840

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction ID: 1b3e7198f5bbff1fb9e761f408cd0d6d1153e514e34a056da38bcb3ae55b1b44
Opcode Fuzzy Hash: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction Fuzzy Hash: B9210031205111AFD7109B24C9A0FAABB95EF55328F14825BF4268B3E2C7B9FC42C798

Function 004A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8D8C
Part of subcall function 004A8D7D: lstrcpyW.KERNEL32(00000000,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A8DB2
Part of subcall function 004A8D7D: lstrcmpiW.KERNEL32(00000000,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7923
lstrcpyW.KERNEL32(00000000,?,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7984

Strings

cdecl, xrefs: 004A797B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b2c6067754b9caed9e1f71fe1b515204c1194086b6305a472df53215e7970d56
Instruction ID: 509687913b0c37282026e872e5027bfa20625c91b5b9fad6cd85afd04c5c36d3
Opcode Fuzzy Hash: b2c6067754b9caed9e1f71fe1b515204c1194086b6305a472df53215e7970d56
Instruction Fuzzy Hash: 6611037A201202ABDB259F39CC45E7B77A9FF96354B40402FF802C73A4EB359811C7A9

Function 004D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004BB7AD,00000000), ref: 004D7D6B

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction ID: b18d8aa63c24655f6205e7434e52b755bbcd4d8531fe05a1468ec0d92b6ea7a3
Opcode Fuzzy Hash: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction Fuzzy Hash: FC11CD31205625AFCB108F28CC54AA63BA6AF45360B118327F93AC73F0E7349951DB48

Function 004D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004D56BB
_wcslen.LIBCMT ref: 004D56CD
_wcslen.LIBCMT ref: 004D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction ID: f70eeee61b37d2f99d075fae6d288b7fc304222dd3e9a8baafd71933fe31f63f
Opcode Fuzzy Hash: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction Fuzzy Hash: 0011D271600608A6DB20DB658C91AEE37ACEB11364B10406BF91596281EF78C984CB6D

Function 00471D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8170cd704d98053a7c533178d32982561c1cb015dd1faaa1654326032e87854e
Instruction ID: e4ce1974a869e209f734acdd605bd55bc18ec583b26f87f9278e564935526d28
Opcode Fuzzy Hash: 8170cd704d98053a7c533178d32982561c1cb015dd1faaa1654326032e87854e
Instruction Fuzzy Hash: 8A01F7F22056163EF621167C7CC1FA7671CDF413B8F34832BF529912E1DB689C405928

Function 004A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A8A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction ID: db1206e9744381a2b6116de1b78b5958f9bb0c0d6a64a905431cc192e6494f91
Opcode Fuzzy Hash: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction Fuzzy Hash: AD113C3AD01219FFEB10DBA5CD85FADBB78EB15750F200092E600B7290D6716E50DB98

Function 004AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004AE24D

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction ID: 14327a9de35e3f84be5e7d4eacf3e66f0750f66ababda21258b09cbc1ef9be48
Opcode Fuzzy Hash: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction Fuzzy Hash: BA110872E04259BBC7019BA99C49BDF7FACDB56310F0086A6F935D3291D2748D0487A8

Function 0046D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0046CFF9,00000000,00000004,00000000), ref: 0046D218
GetLastError.KERNEL32 ref: 0046D224
__dosmaperr.LIBCMT ref: 0046D22B
ResumeThread.KERNEL32(00000000), ref: 0046D249

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction ID: 185c4b4b806d7e22eaa87621dd1c17646272a937dcd2fd26d974b53fc305ec6c
Opcode Fuzzy Hash: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction Fuzzy Hash: 3A012636D052047BCB105BA6DC05BAF7B68DF81334F10426BF824921D0EF75C901C6AB

Function 004D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetClientRect.USER32(?,?), ref: 004D9F31
GetCursorPos.USER32(?), ref: 004D9F3B
ScreenToClient.USER32(?,?), ref: 004D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004D9F7A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction ID: c0f480d867c035fd48f5ecb899952186af955f961292ce2f631643572e8a8646
Opcode Fuzzy Hash: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction Fuzzy Hash: 47114832A0011ABBDB00DF69D8999EE77B8FB05315F40056BF911E3240D338BE81CBA9

Function 0044600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
GetStockObject.GDI32(00000011), ref: 00446060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction ID: a1ecd2a35bdc41763f742d6e1e2133045762a127e5ed639f7c99f76b3d1ff69e
Opcode Fuzzy Hash: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction Fuzzy Hash: 2E11A1B2102509BFEF128FA4CC44EEBBB69EF09355F010217FA1452110C736DC60DBA5

Function 00463B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00463B56

Part of subcall function 00463AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00463AD2
Part of subcall function 00463AA3: ___AdjustPointer.LIBCMT ref: 00463AED

_UnwindNestedFrames.LIBCMT ref: 00463B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00463B7C
CallCatchBlock.LIBVCRUNTIME ref: 00463BA4

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: baef11e2670b8e669d5dc69bc645bd4508640475bad923596370180b6adc5e1f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 80018032100189BBDF125E96CC42DEB3F6DEF88759F04400AFE4856121E73AE961DBA5

Function 00473073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004413C6,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue), ref: 004730A5
GetLastError.KERNEL32(?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000,00000364,?,00472E46), ref: 004730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000), ref: 004730BF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction ID: 5e7b070fca632c926db95e8c61440554c631d2e6c48814794bd542727d34338c
Opcode Fuzzy Hash: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction Fuzzy Hash: 4B01FC32752263ABCB314F789C849D777989F05B62B108732F909D7284D725D905D6D8

Function 004A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004A74CA

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction ID: 3050082cd5ca89934f75524ba3deb1d905f38cb66990f7fe957bc9a23a36e035
Opcode Fuzzy Hash: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction Fuzzy Hash: 0A11ADB120A311AFE7308F14DD48B927BFCEB09B00F10856BE616D6191D7B4E904DBA5

Function 004AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB126

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction ID: 4a88bd620ab87f1c5a41ab028966d3fb503e972ba1393ac22d5179d0d8c360d4
Opcode Fuzzy Hash: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction Fuzzy Hash: 4A115E31C0152DE7CF009FE5D9986EEBB78FF2A751F1040A7D941B6282CB345651CB99

Function 004D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D7E33
ScreenToClient.USER32(?,?), ref: 004D7E4B
ScreenToClient.USER32(?,?), ref: 004D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D7E8A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction ID: 34ab880896ad92d93435ca30d8b98aaab698f739ca6b87f4ccd9e92b3def29ad
Opcode Fuzzy Hash: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction Fuzzy Hash: 3C1140B9D0020AAFDB41CF98C884AEEBBF9FB08310F509166E915E2210D735AA54CF94

Function 004A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
GetCurrentThreadId.KERNEL32 ref: 004A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction ID: c640dc4997dd81bfc8981cc77e39e8818434e40ab040f886a04aa59b1adb4f35
Opcode Fuzzy Hash: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction Fuzzy Hash: ACE092711422257BDB201B769C4DFEB3F6CEF53BA1F000027F505D10819AE8C841D6B4

Function 004D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004D8887
LineTo.GDI32(?,?,?), ref: 004D8894
EndPath.GDI32(?), ref: 004D88A4
StrokePath.GDI32(?), ref: 004D88B2

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction ID: 2664e38b7238247bb07a401e116605790665306b17a4334baa32ab1815d2c055
Opcode Fuzzy Hash: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction Fuzzy Hash: 18F09A36002259FADB122F94AC09FDE3B19AF06310F008012FA11611E2C7781515DFAD

Function 004598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004598CC
SetTextColor.GDI32(?,?), ref: 004598D6
SetBkMode.GDI32(?,00000001), ref: 004598E9
GetStockObject.GDI32(00000005), ref: 004598F1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction ID: b099cf2ee14519a9ff141320a8571acd5c6f363b4344eb77e9d1607a7d2e3d4e
Opcode Fuzzy Hash: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction Fuzzy Hash: 57E03931245291AADF215B74AC49BED3F60AB12336F04822BF6FA581E2C3754640DF14

Function 004A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004A11D9), ref: 004A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A164F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction ID: 35d023e7b05fb92314854e21ee2d9a1adc1f5b86a08682e16fb29d83da064714
Opcode Fuzzy Hash: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction Fuzzy Hash: 58E08631603212DBDB201FE09E4DB473B7CAF657A1F14482AF646C9090D6384440C798

Function 0049D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D858
GetDC.USER32(00000000), ref: 0049D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction ID: 3aaf4053f2078168c9955281b5f654ba84837fd02694930be7fe47ba03efe72d
Opcode Fuzzy Hash: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction Fuzzy Hash: 66E01AB0C01206DFCF41AFA1D88C66DBBB2FB08311F18802AE806E7250C7388906EF49

Function 0049D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D86C
GetDC.USER32(00000000), ref: 0049D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction ID: 8a0dd66dbd2cf0e8632969383f4558a253f4a699c4b0c1b5bdf8a92fedab7319
Opcode Fuzzy Hash: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction Fuzzy Hash: 01E01A70C01201DFCF519FA0D88C66DBBB1FB08311B18801AE806E7250C7389906DF48

Function 004B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004B4ED4

Strings

LPT, xrefs: 004B4DFB
*, xrefs: 004B4E10

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1d7f2af3f0c3acc30d1f708f30b90b234b7dba0fb415b3f64dbb438e1ed0647b
Instruction ID: fc6d50f192e5efcd8ea09b424c24f5cd83eeac2870246fe44556ac36402dc668
Opcode Fuzzy Hash: 1d7f2af3f0c3acc30d1f708f30b90b234b7dba0fb415b3f64dbb438e1ed0647b
Instruction Fuzzy Hash: 82916275A002149FDB14DF59C484EAABBF1BF84308F15809EE80A9F362D739ED46CB65

Function 0046E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0046E30D

Strings

pow, xrefs: 0046E2E5, 0046E302

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d2ec362d2247b156f66eebbbbb5ecf01cdf7222e8afdbdbd2750263e8486627f
Instruction ID: b9c5f7d86daa2e0ed5751245eefc63fb416e1e6520d516d18cfaac5e2b88b105
Opcode Fuzzy Hash: d2ec362d2247b156f66eebbbbb5ecf01cdf7222e8afdbdbd2750263e8486627f
Instruction Fuzzy Hash: 34513B65A0C20296CB157715C9413FB3BD89B40740F60C9ABE499863E9FF3D8CD59A8F

Function 004C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,?,00000000,00000000), ref: 004C78DD

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,00000000,?,00000000,00000000), ref: 004C783B

Strings

<sP, xrefs: 004C77C8

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sP
API String ID: 3544283678-3175726631
Opcode ID: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction ID: a53b1428dbe54a61496e558a0edd951661e58ad60d94939172bb17e6dfdc153d
Opcode Fuzzy Hash: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction Fuzzy Hash: 08616E76914119ABEF04FFA5CC91EFEB374BF14704B44052FE602A3191EB386A05DBA9

Function 0045E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0045E1B1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction ID: b4315caa145df46ccb7fd89d66e4fc10af2c076208bdc4ae863a783938ca52a6
Opcode Fuzzy Hash: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction Fuzzy Hash: B0512235504206DFDF18DFAAC0806BA7BA4EF55310F2440ABFC519B391D6389E47CB6A

Function 0045F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0045F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0045F2BB

Strings

@, xrefs: 0045F2AF

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction ID: 34a939415a702d6c7226b88bc9533915341ea8f3f7fad2a26033a73c6dfb2535
Opcode Fuzzy Hash: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction Fuzzy Hash: DD5155714097449BE320AF51D886BAFBBF8FB84304F81885EF1D9411A5EB358529CB6B

Function 004C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004C57E0
_wcslen.LIBCMT ref: 004C57EC

Strings

CALLARGARRAY, xrefs: 004C57E6, 004C57EB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 67a13b69f296f5b70827a642dbefe899466c19655f67c3fe0cfd4c3d27c7a8f9
Instruction ID: b039225f3c0b8f1924038c040c322aa6086fa70ee05cfdbc7127f434df01eec2
Opcode Fuzzy Hash: 67a13b69f296f5b70827a642dbefe899466c19655f67c3fe0cfd4c3d27c7a8f9
Instruction Fuzzy Hash: 9341A135A001059FCB14EFAAC881DAEBBB5EF59354F10406EF505A7352D738AD81CBA8

Function 004BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004BD13A

Strings

|, xrefs: 004BD10B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction ID: 97d0fa522cf00627de11069acf3e5aef7b2f3a08354bfaf10af945ac474c0140
Opcode Fuzzy Hash: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction Fuzzy Hash: A6315071D00209ABDF15EFA5CC85AEF7FB9FF05304F10005AF815A6261E735A906CB69

Function 004D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D365C

Strings

static, xrefs: 004D35BC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 476d6c0314ec72f14a77e1bd3ed50d76355670e7da606dae36675d78e927cfe3
Instruction ID: e1354b893329e14a86276c5e1b0cc98c33cb79a2a3a18fcfd104cbf1477665a1
Opcode Fuzzy Hash: 476d6c0314ec72f14a77e1bd3ed50d76355670e7da606dae36675d78e927cfe3
Instruction Fuzzy Hash: 1631AE71100604AADB20DF28DC90ABB73A9FF48724F00861FF8A597280DA39ED81D769

Function 004D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D4634

Strings

', xrefs: 004D458E

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction ID: 03f51e7ef033263042f15b21f0236713621bd572ee70497e4af5210c61d5f84b
Opcode Fuzzy Hash: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction Fuzzy Hash: 92312774A0120AAFDB14CFA9D9A1BDA7BB5FF49300F10406BEA05AB381D774E941CF94

Function 004D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D3287

Strings

Combobox, xrefs: 004D3249

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction ID: 3b457fb67f3f3924f69618d8a80f09f709bb9dbb7456207f2377ca6322dc6b7f
Opcode Fuzzy Hash: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction Fuzzy Hash: C9112271B002087FFF219F94DC90EBB3B6AEB98364F10412BF91897390C6399D518765

Function 004D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

GetWindowRect.USER32(00000000,?), ref: 004D377A
GetSysColor.USER32(00000012), ref: 004D3794

Strings

static, xrefs: 004D3757

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction ID: fc0cd06173cac8f1bbfd3cf2a2525b9ad7b54a156b47af07ae6bf56b961d23c6
Opcode Fuzzy Hash: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction Fuzzy Hash: 011159B261060AAFDF00DFA8CC46AEA7BB8EB08304F00452AF955E2250D739E811DB64

Function 004BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004BCDA6

Strings

<local>, xrefs: 004BCD66

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction ID: 6593229dd68f8330d21f8bcc2e13eb8938a26f9a109c86a3041524e2ce44e710
Opcode Fuzzy Hash: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction Fuzzy Hash: 0311C279245632BAD7384B668CC9EE7BEACEF527A4F40423BB14983180D7789841D6F4

Function 004D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004D34BA

Strings

edit, xrefs: 004D348F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction ID: 2f59a3fba9966ff46245516af3b08cc07ef20119f7348624a7216ad763ab03e4
Opcode Fuzzy Hash: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction Fuzzy Hash: A1116D71100108AAEB118E64ECA4AEB376AEB15379F504327F961933D0C77DEC519B5A

Function 004A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

CharUpperBuffW.USER32(?,?,?), ref: 004A6CB6
_wcslen.LIBCMT ref: 004A6CC2

Strings

STOP, xrefs: 004A6CBC, 004A6CC1

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction ID: 51f64ff4f491644127389aad8bd5d4712397159713f694c84840bab8a5ce5ed0
Opcode Fuzzy Hash: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction Fuzzy Hash: 300104326005278BDB20AFBDDC808BF37A4EF72764716052AE86292295EB39D900C658

Function 004A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004A1D4C

Strings

ListBox, xrefs: 004A1D16
ComboBox, xrefs: 004A1CEB

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction ID: 15b7849d1167e34117b6e4773c509ced9e1cce4180d483045116549f4b1e2cc6
Opcode Fuzzy Hash: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction Fuzzy Hash: 0601F535611214ABDB04EBA4CC518FF7768FB23354F00061FB832573D1EA3869089664

Function 004A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004A1C46

Strings

ListBox, xrefs: 004A1C10
ComboBox, xrefs: 004A1BE5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction ID: d21346630dbf068fb782e4f9e67ee212914faffb0e9e8c5e8d863d645ead0480
Opcode Fuzzy Hash: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction Fuzzy Hash: 5901A775AC110466DB14FB91CD519FF77A89B27394F14001FB407672D2EA289E08D6B9

Function 004A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004A1CC8

Strings

ListBox, xrefs: 004A1C94
ComboBox, xrefs: 004A1C69

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction ID: f7a51ce49430393806f4c2f418fc2b9c8c77bb6fc90578602ee0c1d10dfc0609
Opcode Fuzzy Hash: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction Fuzzy Hash: 5201DB75A8111467DF04FB95CE41AFF77A89B23354F54001BB80273291FA289F08D6B9

Function 0045A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045A529

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Strings

,%Q, xrefs: 0045A509
3yI, xrefs: 0045A545, 0045A54D, 0045A552

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%Q$3yI
API String ID: 2551934079-1071883843
Opcode ID: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction ID: 648746e381d02eb8b48b1fab99bc4f4a83cb9c0427ee793c85b59d53f0d1da34
Opcode Fuzzy Hash: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction Fuzzy Hash: 7901473170061497D600F7A9D85BE9E3354AB05715F50011FF9021B2C3FE5C6D598A9F

Function 004A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004A1DD3

Strings

ListBox, xrefs: 004A1DA0
ComboBox, xrefs: 004A1D75

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction ID: 22d49934ac4b6e9a1eaf528c44c616dc7801ff811ab3188651c4907c5c818e70
Opcode Fuzzy Hash: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction Fuzzy Hash: 2EF02D71B4121466D704F7A5CC91FFF7778AB13354F44091FB422632D1EB786D088668

Function 004D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00513018,0051305C), ref: 004D81BF
CloseHandle.KERNEL32 ref: 004D81D1

Strings

\0Q, xrefs: 004D818A

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0Q
API String ID: 3712363035-1506629975
Opcode ID: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction ID: 2f46f9e9cc4a55fa7a43527276f2522fb7c47d8640e7181e99b9e487f1882361
Opcode Fuzzy Hash: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction Fuzzy Hash: F8F05EB1640700BAF7206761AC69FF73EDCEB18754F004426BF08D52A2D6798F4492B9

Function 004C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C7493
_wcslen.LIBCMT ref: 004C74B9

Strings

3, 3, 16, 1, xrefs: 004C7483

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction ID: 45e17eaf5e2bffe9cb0ae5974074b864ff73e130e5230a90b159cc22b5b3f666
Opcode Fuzzy Hash: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction Fuzzy Hash: 68E02B4A74462011A3B5127B9CC1F7F5A8ADFC9760714182FF981C2366FA9C8D9193AD

Function 004A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004A0B23

Strings

Error allocating memory., xrefs: 004A0B1C
AutoIt, xrefs: 004A0B17

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7705b3f444a848574fc7d1b2d55eb9c72e5780be1e52e0694aec890d95f04b0f
Instruction ID: beb60d32a384848502b03807395dd6013ba68455c33db475916b32eda1e4b68d
Opcode Fuzzy Hash: 7705b3f444a848574fc7d1b2d55eb9c72e5780be1e52e0694aec890d95f04b0f
Instruction Fuzzy Hash: 36E0D83134430926D2143795BC43F897B848F05F15F10042FFB48555C39ADA685486EE

Function 00460D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0045F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00460D71,?,?,?,0044100A), ref: 0045F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0044100A), ref: 00460D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0044100A), ref: 00460D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00460D7F

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction ID: b4396aaf9c4384deaaf9898fd2facedd68c0a123982e56a229f96da5c52b3928
Opcode Fuzzy Hash: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction Fuzzy Hash: 1FE092702007018BD3309FB9E4483477BE4AF14749F008A7FE486C6755EBB8E448CB9A

Function 0045E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045E3D5

Strings

8%Q, xrefs: 0045E3CA
0%Q, xrefs: 0045E3B5

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%Q$8%Q
API String ID: 1385522511-2527737110
Opcode ID: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction ID: 8c4a2a4ae19e0495878f0562025d59f2ceb8b111f464fd6dc04e021678371acf
Opcode Fuzzy Hash: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction Fuzzy Hash: 8FE02631400A10CBC708971AF9E4EC93397BB05325F1241ABEC02CF2D2EB386D89A64E

Function 004B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004B3044

Strings

aut, xrefs: 004B3038

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction ID: 13abb99cc5a8c4c081aa7898c79f42adcd3ca04a175a76869cb90a64868084a9
Opcode Fuzzy Hash: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction Fuzzy Hash: EED05B7190131467DA20A7949C4DFCB3B6CD704750F0002A2B655D20D1DAB09544CAD4

Function 0049D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0049D220

Strings

X64, xrefs: 0049D2A8
%.3d, xrefs: 0049D22B

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction ID: 7e60b206db3f89b3522522619b4067cad92b38d9d71239abe66f9f19c7c2704b
Opcode Fuzzy Hash: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction Fuzzy Hash: 47D01261C09109EACF5097D0DC498BDBB7CBB18301F5084B3FC0691081D62CD50EA76B

Function 004D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D236C
PostMessageW.USER32(00000000), ref: 004D2373

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2365

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction ID: 118abc622daaf8b6b6466703975a8a8aab730f7cb9861cb04c7a6f99d4823945
Opcode Fuzzy Hash: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction Fuzzy Hash: B1D0C972382321BAEA64A771AC4FFCA7A58AB15B14F0049277655AA1D0C9A4A801CA58

Function 004D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D233F

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2325

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction ID: cbfc64e605fddf7b1545781ed22937103b29056cdebe4301e6b55c2b8bb51b2a
Opcode Fuzzy Hash: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction Fuzzy Hash: 7FD02272381320B7EA74B331EC4FFCB7B08AB00B00F0009277305AA0D0C9F0A800CA08

Function 0047BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0047BE93
GetLastError.KERNEL32 ref: 0047BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047BEFC

Memory Dump Source

Source File: 00000000.00000002.1754213508.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1754183600.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754301368.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754472306.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754501354.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction ID: a060bf7ae58d43eb116cd07179123c307ca63948accc4a1297d94b76ad0f830d
Opcode Fuzzy Hash: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction Fuzzy Hash: 4D41C134601216ABCB218F65CC54BEB7BA4EF41B20F14C16BF95DA73A1EB348C01CB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1831216586.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896237298.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831216586.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1890612574.0000019FF4AB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900202732.0000019FF4AB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890612574.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1878927530.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825020662.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827079792.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1878927530.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825020662.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827079792.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1831216586.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896237298.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831216586.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900202732.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890612574.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878098780.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1776778886.0000019FEACDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1776778886.0000019FEACDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1878927530.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825020662.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827079792.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1878927530.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825020662.0000019FF46C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827079792.0000019FF0895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1830824921.0000019FEAA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.2950040268.0000022C7550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/sfW equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/sfW equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2950433482.000002753E70A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/sfW equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1890543156.0000019FF5079000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878046659.0000019FF5075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1831216586.0000019FEA76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896237298.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831216586.0000019FEA7E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900202732.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890612574.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878098780.0000019FF4AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905578146.0000019FE9DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49826 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_033fe187-7343-4f61-9672-73623c6f30c3.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_033fe187-7343-4f61-9672-73623c6f30c3.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre