Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543093
MD5:	089d8306a0eb1989d38e3ce159191f66
SHA1:	ca8f2d0f5ccab8d2535e226892fc5650b9050a36
SHA256:	aa30d0547aacd99972a5860ec25d1b8de74710c1d64c28a99379d5e72cf621c9
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 089D8306A0EB1989D38E3CE159191F66)

taskkill.exe (PID: 7328 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7444 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7500 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7620 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7684 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7736 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7972 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c5687c-def4-45c9-ae4a-1b0aa07de766} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 298f5c6ed10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7304 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55fd1972-1430-4133-9bd8-75ac33fba38e} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29887e24510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6036 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3536 -prefMapHandle 3456 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76630401-2e09-4eaa-8952-b3400db86ea9} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29891abbf10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7312	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00FBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FBED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FAAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FD9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_847e7815-0
Source: file.exe, 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_49e1785b-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1fdabc35-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7da8c58b-b

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DD58B7 NtQuerySystemInformation,		16_2_0000020C11DD58B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DF98F2 NtQuerySystemInformation,		16_2_0000020C11DF98F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FAD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FAE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F48060	0_2_00F48060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB2046	0_2_00FB2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA8298	0_2_00FA8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7E4FF	0_2_00F7E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7676B	0_2_00F7676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD4873	0_2_00FD4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4CAF0	0_2_00F4CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6CAA0	0_2_00F6CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5CC39	0_2_00F5CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F76DD9	0_2_00F76DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F491C0	0_2_00F491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5B119	0_2_00F5B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61394	0_2_00F61394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61706	0_2_00F61706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6781B	0_2_00F6781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F619B0	0_2_00F619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5997D	0_2_00F5997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F47920	0_2_00F47920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F67A4A	0_2_00F67A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F67CA7	0_2_00F67CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61C77	0_2_00F61C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F79EEE	0_2_00F79EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCBE44	0_2_00FCBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61F32	0_2_00F61F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DD58B7	16_2_0000020C11DD58B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DF98F2	16_2_0000020C11DF98F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DFA01C	16_2_0000020C11DFA01C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000020C11DF9932	16_2_0000020C11DF9932

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F5F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F60A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@34/36@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB37B5 GetLastError,FormatMessageW,

0_2_00FB37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FA10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FA16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FB51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FAD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FB648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1961911167.000002988FE98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1960119629.0000029891A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976585446.0000029891A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1961405065.0000029891871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c5687c-def4-45c9-ae4a-1b0aa07de766} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 298f5c6ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55fd1972-1430-4133-9bd8-75ac33fba38e} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29887e24510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3536 -prefMapHandle 3456 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76630401-2e09-4eaa-8952-b3400db86ea9} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29891abbf10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c5687c-def4-45c9-ae4a-1b0aa07de766} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 298f5c6ed10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55fd1972-1430-4133-9bd8-75ac33fba38e} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29887e24510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3536 -prefMapHandle 3456 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76630401-2e09-4eaa-8952-b3400db86ea9} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29891abbf10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1978629354.000002988F926000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987578137.000002988F926000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1996968204.00000298855B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1996968204.00000298855B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1978629354.000002988F926000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987578137.000002988F926000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1993881961.00000298855B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1993881961.00000298855B3000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F60A76 push ecx; ret

0_2_00F60A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F5F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FD1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96811

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000020C11DD58B7 rdtsc

16_2_0000020C11DD58B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB68EE FindFirstFileW,FindClose,	0_2_00FB68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FB698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FB9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FB5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: firefox.exe, 00000010.00000002.3012538823.0000020C1153A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPh
Source: firefox.exe, 0000000F.00000002.3013998055.0000024ABB19A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,=
Source: firefox.exe, 00000010.00000002.3020077726.0000020C11E72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: firefox.exe, 0000000F.00000002.3013998055.0000024ABB19A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3020077726.0000020C11E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3020257579.0000024ABB720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3020956350.0000024ABBB40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: firefox.exe, 00000014.00000002.3019052622.000001F7FF510000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWwz
Source: firefox.exe, 00000014.00000002.3013147809.000001F7FF20A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@%Q
Source: firefox.exe, 0000000F.00000002.3020956350.0000024ABBB40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000020C11DD58B7 rdtsc

16_2_0000020C11DD58B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FBEAA2 BlockInput,

0_2_00FBEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F72622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F64CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F64CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FA0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F72622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F6083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F609D5 SetUnhandledExceptionFilter,	0_2_00F609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F60C21

Source: C:\Users\user\Desktop\file.exe

0_2_00FA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F82BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F82BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAB226 SendInput,keybd_event,

0_2_00FAB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FC22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00FA0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F60698 cpuid

0_2_00F60698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FB8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9D27A GetUserNameW,

0_2_00F9D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F7BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F7BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FC1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FC1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.1	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.65.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.185.238	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	172.217.18.110	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1988161888.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855933176.00000298880ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970255571.00000298880ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF4C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1983028764.00000298872D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1986911192.0000029891A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976585446.0000029891A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960119629.0000029891A1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3016075236.0000024ABB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3019338953.000001F7FF704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1941855133.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920212591.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847899623.000002988E0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924490587.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849161193.000002988E0BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3015225093.0000020C11886000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF48F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1981109992.000002988E110000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1962151432.000002988FE10000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1816942616.0000029885977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816809632.000002988595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816348887.0000029885700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816637497.000002988593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816485008.000002988591F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1961405065.0000029891897000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1988161888.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1962595375.000002988F9A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1816942616.0000029885977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816809632.000002988595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816348887.0000029885700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816637497.000002988593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934843386.0000029887708000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816485008.000002988591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1966044441.0000029889061000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1816942616.0000029885977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816809632.000002988595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816348887.0000029885700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816637497.000002988593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816485008.000002988591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1966044441.0000029889061000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1961911167.000002988FE94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3016075236.0000024ABB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3019338953.000001F7FF704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1876317916.00000298877FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1963508678.000002988F5B8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000D.00000003.1985458304.00000298FFA55000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1962595375.000002988F9A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3016075236.0000024ABB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3019338953.000001F7FF704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1911212138.00000298879F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879871313.0000029886FA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909406210.00000298879F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1963172855.000002988F5EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970255571.00000298880ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF4C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1879871313.0000029886F96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909406210.00000298879DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1918641063.00000298875AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1985458304.00000298FFA28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amazon.com	firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1962595375.000002988F9A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1981109992.000002988E110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C11812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1968617068.0000029888448000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1988161888.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1963172855.000002988F5F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1932342739.00000298875A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865663672.00000298875F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854692379.000002988E1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966963832.000002988902C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DFC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980144212.000002988E1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890734312.00000298877C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957256306.0000029885AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875673309.00000298877C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865663672.00000298875A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982060265.000002988849B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918641063.00000298875AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981259590.000002988DFC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876317916.00000298877D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883850105.00000298877D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820759215.00000298857A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967239317.00000298885F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984936519.0000029887709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817894612.0000029885968000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884728901.000002988758A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870971198.0000029887645000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1966044441.0000029889061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1970482803.0000029887F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966044441.0000029889061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1980354246.000002988E1A4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1961405065.000002989184A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965137487.000002988D9EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1961405065.000002989184A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965137487.000002988D9EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1963172855.000002988F5F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1941855133.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920212591.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924490587.000002988E0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849161193.000002988E0BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1854501094.000002988F4B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964264894.000002988F4BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1962595375.000002988F9A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1818173241.0000029883233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819680648.0000029883230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819566427.0000029883217000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1966044441.000002988906C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1908448683.0000029887AF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880946360.0000029886FAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911212138.00000298879F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879871313.0000029886FA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909406210.00000298879F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1818173241.0000029883233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819680648.0000029883230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819566427.0000029883217000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3016075236.0000024ABB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015225093.0000020C118E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3019338953.000001F7FF704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979365336.000002988E2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854585762.000002988E2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1816485008.000002988591F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1968617068.0000029888448000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1981109992.000002988E110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816485008.000002988591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1988161888.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964561554.000002988DF4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3015589403.0000024ABB340000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018906453.0000020C11D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3014387735.000001F7FF2C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1978993310.000002988F460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1963508678.000002988F5B8000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543093
Start date and time:	2024-10-27 08:49:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@34/36@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.18.233, 35.155.254.84, 44.238.230.7, 2.22.61.59, 2.22.61.56, 142.250.186.46, 142.250.185.110, 142.250.74.202, 142.250.185.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:50:19	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
151.101.65.91	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
example.org	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
twitter.com	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
star-mini.c10r.facebook.com	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
ATGS-MMD-ASUS	spc.elf	Get hash	malicious	Mirai	Browse	34.16.208.62
	arm7.elf	Get hash	malicious	Mirai	Browse	57.147.18.84
	sh4.elf	Get hash	malicious	Mirai	Browse	32.86.131.63
	m68k.elf	Get hash	malicious	Mirai	Browse	48.227.51.54
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	57.5.138.203
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	https://onlinepdf-qrsharedfile.com/index.html#XYWRhbV9oYW1tZXJtYW5AbnltYy5lZHU=	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	spc.elf	Get hash	malicious	Mirai	Browse	34.16.208.62
	arm7.elf	Get hash	malicious	Mirai	Browse	57.147.18.84
	sh4.elf	Get hash	malicious	Mirai	Browse	32.86.131.63
	m68k.elf	Get hash	malicious	Mirai	Browse	48.227.51.54
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	57.5.138.203
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2601dfeb-0752-4fcc-90d7-32c92a6d0e47.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176728501289605
Encrypted:	false
SSDEEP:	192:mjMXjfocbhbVbTbfbRbObtbyEl7n9rCJA6WnSrDtTUd/SkDrJZ:mYUcNhnzFSJdrxBnSrDhUd/XZ
MD5:	2FFC3824919C78C1BC3746460248E5FE
SHA1:	2668DD4D4A9A71D2F8F89107BEB776632D530F00
SHA-256:	59A9CFC8384CAE54F6D254EABE202456C6F1146018679AD8C8CA6230E5D0ED1C
SHA-512:	AA905386AB12D4F659B492C59B3307611B59B3E18013C3727597C6836736F005F0084D71B10ADEF5E17C0EC65A6C605B7875DC0E952CE35835545F215C96EA97
Malicious:	false
Preview:	{"type":"uninstall","id":"2601dfeb-0752-4fcc-90d7-32c92a6d0e47","creationDate":"2024-10-27T08:52:00.651Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2601dfeb-0752-4fcc-90d7-32c92a6d0e47.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176728501289605
Encrypted:	false
SSDEEP:	192:mjMXjfocbhbVbTbfbRbObtbyEl7n9rCJA6WnSrDtTUd/SkDrJZ:mYUcNhnzFSJdrxBnSrDhUd/XZ
MD5:	2FFC3824919C78C1BC3746460248E5FE
SHA1:	2668DD4D4A9A71D2F8F89107BEB776632D530F00
SHA-256:	59A9CFC8384CAE54F6D254EABE202456C6F1146018679AD8C8CA6230E5D0ED1C
SHA-512:	AA905386AB12D4F659B492C59B3307611B59B3E18013C3727597C6836736F005F0084D71B10ADEF5E17C0EC65A6C605B7875DC0E952CE35835545F215C96EA97
Malicious:	false
Preview:	{"type":"uninstall","id":"2601dfeb-0752-4fcc-90d7-32c92a6d0e47","creationDate":"2024-10-27T08:52:00.651Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925691752646685
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgRB8P:8S+OBIUjOdwiOdYVjjwLgRB8P
MD5:	B6EEE890DD12A929F58B4E8D77E0B539
SHA1:	C675DAD113B7F54835E02C22F6052B5FA5C4E7D3
SHA-256:	AE107D2922555BDA49C17820212A8E66B79C1201E1623600B337D7C3BD0058AE
SHA-512:	4166481FB2985449501086266592E76B8C8E926F646B3E5EC15584FDEA5C224DB7B528F91F4CE54F1B8A1FF9529D105EBB48DFFF8CA651DA34D8813D0A185C0B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925691752646685
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgRB8P:8S+OBIUjOdwiOdYVjjwLgRB8P
MD5:	B6EEE890DD12A929F58B4E8D77E0B539
SHA1:	C675DAD113B7F54835E02C22F6052B5FA5C4E7D3
SHA-256:	AE107D2922555BDA49C17820212A8E66B79C1201E1623600B337D7C3BD0058AE
SHA-512:	4166481FB2985449501086266592E76B8C8E926F646B3E5EC15584FDEA5C224DB7B528F91F4CE54F1B8A1FF9529D105EBB48DFFF8CA651DA34D8813D0A185C0B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: XlKQ797V2E.exe, Detection: malicious, Browse Filename: XlKQ797V2E.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: XlKQ797V2E.exe, Detection: malicious, Browse Filename: XlKQ797V2E.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335023263500667
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	6CA26ECEEE3056BADA34D69CE0614631
SHA1:	EC5820FB02997DA281AB7D4B682C042FDDF8A1A7
SHA-256:	6115D0FC892AD6BB22151FBA1C0C8C8B5B92F1FF681AE472E8D0D0402C0F7471
SHA-512:	0BF5467DEB6C562D06224D1235182C5F25965547D81CAB7260FDD527E329CABF182E433628C6DCB268217DED5DA6285F399D8DCA3052211B521EE577C2574429
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035287661275580785
Encrypted:	false
SSDEEP:	3:GtlstFEL1JRA/FRvGtlstFEL1JRA/FRvXL89//alEl:GtWtGL1JRVtWtGL1JRa89XuM
MD5:	04C644EE4338E92B1B03EE6944365063
SHA1:	A039276DDF0307A33B93461A23B6B29CE5AE012E
SHA-256:	E1E57552B419209DA648B0E99B0EBE24C0E0D4887A498AB536CE25967845170F
SHA-512:	8B89BDD93C5AD1C790BF71710BF9A271A7F4247CE6E3AAC243AD0D8DC4A9E8FB2BA55580A21A69BADA5DA3EE4C28F4DFCCA3D24CECA51C4471799F03059FDD94
Malicious:	false
Preview:	..-......................?5M.P}.d..ON......$'..-......................?5M.P}.d..ON......$'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03995818625313585
Encrypted:	false
SSDEEP:	3:Ol1sMrV52dllofByMQa2Pltl8rEXsxdwhml8XW3R2:KeMul8yRdDl8dMhm93w
MD5:	5DC76A7D9F436B5AC62876ACF585FFB6
SHA1:	02F0354AE2C0E74D025EB0A02D407E6D2089A54F
SHA-256:	F3602FE25381585CECE27A5D70AA23ABFBB7714CAE5E36891B8FB34268D98081
SHA-512:	E6BE61A99300B07F460D1E8C0C9F9624F861699A28D5E7987C33DCC0E99491901F8F9B63D8E4AD8995009DCF724750B74D069216B78CF58BB6F3833C834E793B
Malicious:	false
Preview:	7....-..........d..ON.%..w~.j........d..ON.M5?..}P.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492663472631097
Encrypted:	false
SSDEEP:	192:3naRtLYbBp6Ehj4qyaaXA6KNRNgxc5RfGNBw8dRSl:ieSqgObg2cwu0
MD5:	E341728D35F4834D4A90678DAE544D47
SHA1:	F574F230475EFF2B17C5422B3767AAA7F817CA01
SHA-256:	54C0C93FF9A398C73A142E0A4D6AE22145032590D26D8C3A79AE7F951276B564
SHA-512:	C8A815343E26660679172C46B7A9657F7107D8FC9DBBF415DFE1DE42FEADDEED607CDCE03EF7A604CC7AA13A365E292165B24DB62F87681ABCE839138CA20DAE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730019091);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730019091);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730019091);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173001

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492663472631097
Encrypted:	false
SSDEEP:	192:3naRtLYbBp6Ehj4qyaaXA6KNRNgxc5RfGNBw8dRSl:ieSqgObg2cwu0
MD5:	E341728D35F4834D4A90678DAE544D47
SHA1:	F574F230475EFF2B17C5422B3767AAA7F817CA01
SHA-256:	54C0C93FF9A398C73A142E0A4D6AE22145032590D26D8C3A79AE7F951276B564
SHA-512:	C8A815343E26660679172C46B7A9657F7107D8FC9DBBF415DFE1DE42FEADDEED607CDCE03EF7A604CC7AA13A365E292165B24DB62F87681ABCE839138CA20DAE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730019091);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730019091);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730019091);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173001

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.356365758453184
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSUgs30LXnIgRM/pnxQwRls6Zsp1GH3j6xiMetdL/5Q1oXpTurD/I0HN:cpOx7V0ZEnRTZYQGxHe5XpTgw1t4
MD5:	D5DB64E3B1C7D74569C806D080D28E7D
SHA1:	08048B647EABFFE69CEE96A491BF8418397A77E0
SHA-256:	F3A6178055D9CEA75B7ABA327A36301CBF7074A1DCEDA9CB5B0544A0B84C9C32
SHA-512:	829DD51F5FDC3D1A9E6D58D6C5294C4CB9CA5B4CDD22BEF580FCFF531AD477AF819D60803AA6A0CE41B002F140171E9C7079CDDC1D97589D5D4920F45491B1C7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{eebffcb4-872c-449a-895c-038f3e346fb7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730019095659,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..iUpdate...60,"startTim..P60592...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68230,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.356365758453184
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSUgs30LXnIgRM/pnxQwRls6Zsp1GH3j6xiMetdL/5Q1oXpTurD/I0HN:cpOx7V0ZEnRTZYQGxHe5XpTgw1t4
MD5:	D5DB64E3B1C7D74569C806D080D28E7D
SHA1:	08048B647EABFFE69CEE96A491BF8418397A77E0
SHA-256:	F3A6178055D9CEA75B7ABA327A36301CBF7074A1DCEDA9CB5B0544A0B84C9C32
SHA-512:	829DD51F5FDC3D1A9E6D58D6C5294C4CB9CA5B4CDD22BEF580FCFF531AD477AF819D60803AA6A0CE41B002F140171E9C7079CDDC1D97589D5D4920F45491B1C7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{eebffcb4-872c-449a-895c-038f3e346fb7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730019095659,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..iUpdate...60,"startTim..P60592...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68230,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.356365758453184
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSUgs30LXnIgRM/pnxQwRls6Zsp1GH3j6xiMetdL/5Q1oXpTurD/I0HN:cpOx7V0ZEnRTZYQGxHe5XpTgw1t4
MD5:	D5DB64E3B1C7D74569C806D080D28E7D
SHA1:	08048B647EABFFE69CEE96A491BF8418397A77E0
SHA-256:	F3A6178055D9CEA75B7ABA327A36301CBF7074A1DCEDA9CB5B0544A0B84C9C32
SHA-512:	829DD51F5FDC3D1A9E6D58D6C5294C4CB9CA5B4CDD22BEF580FCFF531AD477AF819D60803AA6A0CE41B002F140171E9C7079CDDC1D97589D5D4920F45491B1C7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{eebffcb4-872c-449a-895c-038f3e346fb7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730019095659,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..iUpdate...60,"startTim..P60592...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68230,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033541884996752
Encrypted:	false
SSDEEP:	48:YrSAYrz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycXyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B72C65A267A82F1FFC532E178B741654
SHA1:	69B0238979C15F92AFA0D1E7D429FAAE82E1AAF2
SHA-256:	1F37A40363EA615CC1C95EEB07ED330DACD2319B1DF1381CB89EDC8F7A740FD1
SHA-512:	644BEE3F9AD11C019F8AB096160657FCE177EC7F897CDB40D9C4B5D2F5423988672329D2437193E6CE6F53C1068578FD9D211CE614F009B369F74FED9A6A4BEF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T08:51:18.601Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033541884996752
Encrypted:	false
SSDEEP:	48:YrSAYrz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycXyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B72C65A267A82F1FFC532E178B741654
SHA1:	69B0238979C15F92AFA0D1E7D429FAAE82E1AAF2
SHA-256:	1F37A40363EA615CC1C95EEB07ED330DACD2319B1DF1381CB89EDC8F7A740FD1
SHA-512:	644BEE3F9AD11C019F8AB096160657FCE177EC7F897CDB40D9C4B5D2F5423988672329D2437193E6CE6F53C1068578FD9D211CE614F009B369F74FED9A6A4BEF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T08:51:18.601Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584666537547872
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	089d8306a0eb1989d38e3ce159191f66
SHA1:	ca8f2d0f5ccab8d2535e226892fc5650b9050a36
SHA256:	aa30d0547aacd99972a5860ec25d1b8de74710c1d64c28a99379d5e72cf621c9
SHA512:	b41f3ce9a8b2125daad02da31a2592025c1d7a1b1b4395b71d3c7b52a932b68bcbc75debaa384208073a8a3fccc07eab4fbda2437fad0c2e9733c7929adf2045
SSDEEP:	12288:7qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T0:7qDEvCTbMWu7rQYlBQcBiT6rprG8ab0
TLSH:	AE159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671DEDA7 [Sun Oct 27 07:37:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F479C8E3ED3h
jmp 00007F479C8E37DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F479C8E39BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F479C8E398Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F479C8E657Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F479C8E65C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F479C8E65B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	ed7504ac118118b7e51608b6f0384579	False	0.3156398338607595	data	5.374008787683816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 08:50:14.942167044 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:14.942254066 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:14.946965933 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:14.967737913 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:14.967801094 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:15.592962027 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:15.594537020 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:15.602035046 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:15.602047920 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:15.602152109 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:15.602328062 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:15.604634047 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:17.131795883 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.131885052 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:17.137032032 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.138415098 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.138459921 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:17.148740053 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.148791075 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:17.152590036 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.156580925 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:17.156615019 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:17.161221981 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:17.166652918 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:17.168143988 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:17.168428898 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:17.173837900 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:17.620944977 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.621046066 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:17.622262001 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.623922110 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.623958111 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:17.640196085 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.640239954 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:17.640434027 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.641891956 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:17.641925097 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:17.674021006 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:17.674056053 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:17.674350977 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:17.674493074 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:17.674519062 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:17.764156103 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:17.885771990 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.005314112 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.005984068 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.006316900 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.006409883 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.022923946 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.023263931 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.026106119 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.026182890 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.077373981 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.077469110 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.077512980 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.077985048 CET	443	49738	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.079679966 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.079715967 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.079772949 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.080142975 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.080204010 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.080287933 CET	443	49739	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.081263065 CET	49738	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.081298113 CET	49739	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.081402063 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.082742929 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.082772017 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.241575003 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.241662979 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.246248960 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.246303082 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.246368885 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.246691942 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.246711969 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.246792078 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.246896029 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.246928930 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.248198032 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.248233080 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.263735056 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.270596981 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.274667025 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.274696112 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.274760008 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.274877071 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.275067091 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.275089025 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.275209904 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.275774002 CET	49748	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.276010036 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.276036024 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.276051998 CET	443	49749	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.276278019 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.277426958 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.277443886 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.277590990 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.277607918 CET	443	49749	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.281179905 CET	80	49748	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.281388044 CET	49748	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.281537056 CET	49748	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.286844015 CET	80	49748	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.298616886 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:18.298723936 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.301785946 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.301800013 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:18.302135944 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:18.305743933 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.305803061 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.306010008 CET	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:18.309062958 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.309062958 CET	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:18.355282068 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.361198902 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.362278938 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.666208982 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.671730995 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.671905994 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.672089100 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.677405119 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.850928068 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.851500988 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.855398893 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.855416059 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.855480909 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.855581999 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.855654001 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.871923923 CET	80	49748	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.875072956 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.879329920 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.884278059 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.886276960 CET	49748	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.888597965 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.888607025 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.888673067 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.888731956 CET	443	49747	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:18.888803959 CET	49747	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:18.892198086 CET	80	49748	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:18.892478943 CET	49748	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:18.899025917 CET	443	49749	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.899611950 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.902297020 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.902316093 CET	443	49749	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.902710915 CET	443	49749	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.906197071 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.906198025 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.906344891 CET	49749	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.906769037 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.906795979 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.907636881 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.907830954 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:18.907845020 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:18.941808939 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.941901922 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.944323063 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.944396973 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.947803974 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.947822094 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.947896957 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:18.948095083 CET	443	49744	142.250.185.238	192.168.2.4
Oct 27, 2024 08:50:18.950293064 CET	49744	443	192.168.2.4	142.250.185.238
Oct 27, 2024 08:50:19.270035028 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:19.321187973 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:19.516289949 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:19.516386032 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:19.519666910 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:19.519695997 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:19.520032883 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:19.522418022 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:19.522501945 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:19.522589922 CET	443	49752	34.160.144.191	192.168.2.4
Oct 27, 2024 08:50:19.522680044 CET	49752	443	192.168.2.4	34.160.144.191
Oct 27, 2024 08:50:19.567053080 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:19.567106962 CET	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:19.569159031 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:19.570472956 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:19.570504904 CET	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:19.886883020 CET	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:19.892422915 CET	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:19.892517090 CET	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:19.892628908 CET	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:19.897917986 CET	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.093660116 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.100002050 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.185682058 CET	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.186877012 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.191112995 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.191127062 CET	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.191215992 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.191365957 CET	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.191569090 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.191651106 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.192559004 CET	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.192606926 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.194164038 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.194207907 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.219445944 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.271001101 CET	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.277210951 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.305295944 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.310662031 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.316704988 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.316987038 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.319889069 CET	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.322367907 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.382256985 CET	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.386415005 CET	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:20.809916019 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.809998035 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.814434052 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.814465046 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.814518929 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.815059900 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 08:50:20.815318108 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 08:50:20.920659065 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:20.979234934 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:23.556325912 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:23.556365967 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:23.557296038 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:23.557678938 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:23.557696104 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:23.859636068 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:23.863342047 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:23.863423109 CET	443	49760	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:23.864981890 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:23.865636110 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:23.867086887 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:23.867115021 CET	443	49760	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:23.868067980 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:23.868098974 CET	443	49761	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:23.869048119 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:23.870361090 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:23.870384932 CET	443	49761	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:23.875636101 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:23.875713110 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:23.878123045 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:23.879595995 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:23.879643917 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:23.984499931 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:24.033010006 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:24.155786037 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:24.155941010 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:24.158147097 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:24.158175945 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:24.158521891 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:24.160527945 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:24.160597086 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:24.160729885 CET	443	49759	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:24.160794020 CET	49759	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:24.480362892 CET	443	49760	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:24.480441093 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:24.484492064 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:24.484517097 CET	443	49760	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:24.484615088 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:24.484760046 CET	443	49760	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:24.484924078 CET	49760	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:24.492944002 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:24.493083954 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:24.496970892 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:24.496990919 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:24.497030020 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:24.497154951 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:24.498028994 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:24.499727011 CET	443	49761	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:24.501187086 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:24.504901886 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:24.504920006 CET	443	49761	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:24.504981995 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:24.505057096 CET	443	49761	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:24.507304907 CET	49761	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.010430098 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.015783072 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.023369074 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.024590015 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.024619102 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.025408983 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.025546074 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.025553942 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.028713942 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.035494089 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.035577059 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.035845995 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.037270069 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.037303925 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.125677109 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.125709057 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.128696918 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.129128933 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.129149914 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.136929989 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.148173094 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.183922052 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.199553013 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.356703997 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.362669945 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.483114958 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:28.530718088 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:28.640923977 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.641043901 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.645687103 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.645751953 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:28.753863096 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:28.753921986 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.585299969 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.585335016 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.586241961 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.588644981 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.588677883 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.589624882 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.592717886 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.592765093 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.592806101 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.592859983 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.592941046 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.593146086 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.593162060 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.593197107 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.593427896 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.593442917 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.593656063 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.593724966 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.594077110 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.594191074 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.700238943 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:29.705661058 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:29.762137890 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.762170076 CET	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.762417078 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.763832092 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:29.763861895 CET	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:29.825301886 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:29.865710974 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:30.377536058 CET	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:30.382797956 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:30.618006945 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:30.618038893 CET	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:30.618185997 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:30.618676901 CET	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 08:50:30.619129896 CET	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:50:30.620373964 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:30.625735044 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:30.706779957 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:30.712156057 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:30.746711016 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:30.799520016 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:30.831588030 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:30.884174109 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:30.913183928 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:31.110524893 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:31.231498003 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:31.285350084 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:33.033576012 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.033611059 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:33.033876896 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.035135984 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.035162926 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:33.641264915 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:33.641346931 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.645952940 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.645970106 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:33.646059990 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.646529913 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:33.646960974 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:33.649023056 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:33.654481888 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:33.773701906 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:33.776956081 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:33.782643080 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:33.830243111 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:33.903862953 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:33.946180105 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:43.471374035 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:43.471457005 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:43.473571062 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:43.473696947 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:43.473718882 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:43.495362043 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:43.495431900 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:43.498460054 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:43.498583078 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:43.498615980 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:43.499613047 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:43.499635935 CET	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:43.500647068 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:43.502006054 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:43.502031088 CET	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:43.774435997 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:43.905950069 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:43.914350033 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:43.914916992 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:43.915525913 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:43.915591002 CET	443	49776	35.201.103.21	192.168.2.4
Oct 27, 2024 08:50:43.915708065 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:43.917032003 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:43.917066097 CET	443	49776	35.201.103.21	192.168.2.4
Oct 27, 2024 08:50:43.917469025 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:43.917480946 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:43.917534113 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:43.917634964 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:43.917648077 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:44.028816938 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.028903008 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:44.029056072 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.030369043 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.030405998 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:44.518130064 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:44.518223047 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:44.520536900 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.520622969 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.521553993 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:44.521559000 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:44.521820068 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:44.524481058 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.524512053 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.525439024 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.527646065 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:44.527745962 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:44.527796030 CET	443	49777	151.101.65.91	192.168.2.4
Oct 27, 2024 08:50:44.527981997 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.528042078 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.528423071 CET	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.528426886 CET	49777	443	192.168.2.4	151.101.65.91
Oct 27, 2024 08:50:44.528484106 CET	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.528795004 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.529526949 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.530006886 CET	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:44.532181025 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.532192945 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.533114910 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.534416914 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.534477949 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.534851074 CET	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.536500931 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.536518097 CET	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.536535978 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:44.539489985 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.539515972 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.539675951 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.540112019 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.540126085 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.541903973 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:44.541917086 CET	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:44.541992903 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:44.542465925 CET	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 08:50:44.542536020 CET	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 08:50:44.542735100 CET	443	49776	35.201.103.21	192.168.2.4
Oct 27, 2024 08:50:44.544011116 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.544069052 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.544262886 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:44.544295073 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.546624899 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.546655893 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.547143936 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.547178984 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.547296047 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.547426939 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:44.547440052 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:44.548680067 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:44.549881935 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:44.549917936 CET	443	49776	35.201.103.21	192.168.2.4
Oct 27, 2024 08:50:44.549961090 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:44.550045967 CET	443	49776	35.201.103.21	192.168.2.4
Oct 27, 2024 08:50:44.550143003 CET	49776	443	192.168.2.4	35.201.103.21
Oct 27, 2024 08:50:44.554053068 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:44.560033083 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.560092926 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.560180902 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.560276985 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:44.560305119 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:44.660331011 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:44.660460949 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.664751053 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.664771080 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:44.664834023 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.665350914 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 08:50:44.673412085 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:44.677053928 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:50:44.681241989 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:44.686712027 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:44.723974943 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:44.808243036 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:44.861972094 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:45.155662060 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.155735970 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.158291101 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.158303022 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.159415007 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.160661936 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.160744905 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.160881042 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.161022902 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.162910938 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.164191008 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.164863110 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:45.165636063 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.165666103 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.168092966 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.168108940 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.168410063 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.170512915 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.170521975 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.170862913 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.172267914 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:45.173532009 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.173614979 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.173744917 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.173842907 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.173892021 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.174117088 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.174196959 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 08:50:45.174266100 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 08:50:45.174530029 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:45.174618006 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:45.177334070 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:45.177356005 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:45.177618027 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:45.180778980 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:45.180876970 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:45.180946112 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 08:50:45.181472063 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 08:50:45.291419029 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:45.300029039 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:45.306868076 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:45.341216087 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:45.427922010 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:45.479329109 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:55.306821108 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:55.312372923 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:50:55.438544035 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:50:55.444108963 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:04.670159101 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:04.670206070 CET	443	49811	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:04.670356035 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:04.671711922 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:04.671734095 CET	443	49811	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:05.286314964 CET	443	49811	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:05.287822008 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:05.293066025 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:05.293097973 CET	443	49811	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:05.293147087 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:05.293251038 CET	443	49811	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:05.294250965 CET	49811	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:05.296240091 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.301631927 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.421010971 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.424150944 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.429565907 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.467528105 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.550889015 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.599100113 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.828326941 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.833683968 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.953330994 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:05.959570885 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:05.965003967 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:06.000225067 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:06.086427927 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:06.138307095 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:12.648284912 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.648345947 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:12.652353048 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.652594090 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.652638912 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:12.652978897 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.653023005 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:12.653640985 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.653733015 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.653748989 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:12.679029942 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.679116011 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:12.679819107 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.679928064 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:12.679971933 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.279558897 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.279654026 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.280011892 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.287070990 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.287081003 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.287545919 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.288002014 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.291126966 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.291160107 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.292092085 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.293972015 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.294101954 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.294372082 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.295265913 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.295356035 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.295702934 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.298966885 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:13.299808025 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.299837112 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.299851894 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.304362059 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:13.307405949 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.307640076 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.311600924 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.311625004 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.312429905 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.314488888 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.314590931 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.314892054 CET	443	49859	34.120.208.123	192.168.2.4
Oct 27, 2024 08:51:13.315195084 CET	49859	443	192.168.2.4	34.120.208.123
Oct 27, 2024 08:51:13.423947096 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:13.434083939 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:13.439565897 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:13.475627899 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:13.560830116 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:13.607182026 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:23.435877085 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:23.441265106 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:23.573856115 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:23.579171896 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:33.453195095 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:33.458611965 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:33.584758043 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:33.590105057 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:43.460592985 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:43.467051983 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:43.598601103 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:43.604106903 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:46.219696045 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.219768047 CET	443	50040	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:46.219849110 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.221425056 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.221453905 CET	443	50040	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:46.844435930 CET	443	50040	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:46.844635010 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.850550890 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.850575924 CET	443	50040	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:46.850646973 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.850873947 CET	443	50040	34.107.243.93	192.168.2.4
Oct 27, 2024 08:51:46.851641893 CET	50040	443	192.168.2.4	34.107.243.93
Oct 27, 2024 08:51:46.853487968 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:46.858871937 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:46.978364944 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:46.981832981 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:46.987322092 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:47.024442911 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:47.108863115 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:47.155905008 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:56.984306097 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:56.989768028 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:51:57.122215986 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:51:57.127800941 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:52:06.996932030 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:52:07.002577066 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:52:07.128415108 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:52:07.134027004 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 08:52:17.017517090 CET	49751	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:52:17.022957087 CET	80	49751	34.107.221.82	192.168.2.4
Oct 27, 2024 08:52:17.149076939 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 08:52:17.154443979 CET	80	49757	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 08:50:14.943681002 CET	61147	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:14.951191902 CET	53	61147	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:14.998532057 CET	58161	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:15.006593943 CET	53	58161	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.120210886 CET	49945	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.120553017 CET	61950	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.127429962 CET	53	49945	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.137252092 CET	56231	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.139884949 CET	59273	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.145108938 CET	53	56231	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.146418095 CET	62369	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.147779942 CET	53	59273	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.154098988 CET	53	62369	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.159832954 CET	64109	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.167473078 CET	53	64109	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.608983994 CET	58955	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.616585970 CET	53	58955	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.621813059 CET	57461	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.630114079 CET	53	57461	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.630681992 CET	56065	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.638834000 CET	53	56065	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.639436007 CET	61101	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.646919966 CET	53	61101	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.653822899 CET	53320	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.661906958 CET	53	53320	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.672207117 CET	57302	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.674221039 CET	57657	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.679506063 CET	53	57302	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.682022095 CET	53	57657	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:17.685678959 CET	61983	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:17.694001913 CET	53	61983	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.100641966 CET	49287	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.107831955 CET	55169	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.108184099 CET	53	49287	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.115405083 CET	53	55169	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.263875961 CET	54693	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.264780045 CET	64705	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.272625923 CET	53	64705	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.278137922 CET	55905	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.285478115 CET	53	55905	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.286081076 CET	64439	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.293665886 CET	53	64439	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:18.303735018 CET	63425	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:18.329893112 CET	53	61592	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.540858030 CET	49186	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.546272039 CET	61887	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.547481060 CET	62622	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.549160004 CET	53	49186	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.553658009 CET	53	61887	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.555191994 CET	53	62622	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.555794001 CET	50634	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.563957930 CET	53	50634	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.564342022 CET	51523	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.564754009 CET	59538	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.571563005 CET	53	51523	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.573038101 CET	53	59538	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.641793013 CET	63491	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.649285078 CET	53	63491	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.864876986 CET	64778	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.868295908 CET	50616	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.872134924 CET	53	64778	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.875924110 CET	53	50616	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.876403093 CET	52823	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.878740072 CET	51812	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.884215117 CET	53	52823	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.884850025 CET	52534	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:23.886063099 CET	53	51812	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:23.892508984 CET	53	52534	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:29.701925993 CET	52382	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:29.709647894 CET	53	52382	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:33.033070087 CET	50589	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:33.041059971 CET	53	50589	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:33.042149067 CET	52677	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:33.049494028 CET	53	52677	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.148363113 CET	59860	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.148765087 CET	59935	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.149162054 CET	64952	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.155930042 CET	53	59860	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.156321049 CET	53	59935	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.156634092 CET	56397	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.156936884 CET	53	64952	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.157161951 CET	53272	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.157736063 CET	62259	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.164037943 CET	53	56397	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.164422035 CET	53	53272	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.165285110 CET	53	62259	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.170275927 CET	56306	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.170453072 CET	53459	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.170537949 CET	62500	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.177774906 CET	53	62500	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.178100109 CET	53	53459	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.178220034 CET	53	56306	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.179382086 CET	51672	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.185909986 CET	55054	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.186656952 CET	53	51672	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.187664986 CET	58246	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.193481922 CET	53	55054	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.193979025 CET	51162	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.194861889 CET	53	58246	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.195419073 CET	49904	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.201057911 CET	53	51162	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.201603889 CET	62702	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:34.203939915 CET	53	49904	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:34.209032059 CET	53	62702	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.491612911 CET	59178	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.496160030 CET	65222	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.503838062 CET	57326	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.914428949 CET	53	65222	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.914458990 CET	53	57326	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.914490938 CET	53	59178	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.915095091 CET	62061	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.915673971 CET	50020	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.916395903 CET	60924	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.922399044 CET	53	62061	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.923727036 CET	53	50020	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.924015045 CET	53	60924	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.924179077 CET	49641	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.924545050 CET	51383	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.927763939 CET	56156	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:43.931914091 CET	53	49641	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.932252884 CET	53	51383	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:43.936181068 CET	53	56156	1.1.1.1	192.168.2.4
Oct 27, 2024 08:50:44.029067039 CET	64819	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:50:44.036533117 CET	53	64819	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:04.669720888 CET	51057	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:51:04.677778959 CET	53	51057	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:04.680804014 CET	49605	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:51:04.688554049 CET	53	49605	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:12.671468019 CET	52558	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:51:12.680566072 CET	53	52558	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:46.210707903 CET	50589	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:51:46.218305111 CET	53	50589	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:46.219268084 CET	59100	53	192.168.2.4	1.1.1.1
Oct 27, 2024 08:51:46.226604939 CET	53	59100	1.1.1.1	192.168.2.4
Oct 27, 2024 08:51:46.853710890 CET	51584	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 08:50:14.943681002 CET	192.168.2.4	1.1.1.1	0xf475	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:14.998532057 CET	192.168.2.4	1.1.1.1	0xe832	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:17.120210886 CET	192.168.2.4	1.1.1.1	0x605e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.120553017 CET	192.168.2.4	1.1.1.1	0x691b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.137252092 CET	192.168.2.4	1.1.1.1	0x8038	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.139884949 CET	192.168.2.4	1.1.1.1	0xc73a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.146418095 CET	192.168.2.4	1.1.1.1	0xcaf3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:17.159832954 CET	192.168.2.4	1.1.1.1	0xd883	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:17.608983994 CET	192.168.2.4	1.1.1.1	0x4e14	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.621813059 CET	192.168.2.4	1.1.1.1	0xb1aa	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.630681992 CET	192.168.2.4	1.1.1.1	0xdd50	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.639436007 CET	192.168.2.4	1.1.1.1	0x80d3	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:17.653822899 CET	192.168.2.4	1.1.1.1	0x6f97	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.672207117 CET	192.168.2.4	1.1.1.1	0x3214	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:17.674221039 CET	192.168.2.4	1.1.1.1	0x4122	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.685678959 CET	192.168.2.4	1.1.1.1	0x375d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:18.100641966 CET	192.168.2.4	1.1.1.1	0xe46d	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.107831955 CET	192.168.2.4	1.1.1.1	0xc2fa	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.263875961 CET	192.168.2.4	1.1.1.1	0x9a74	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.264780045 CET	192.168.2.4	1.1.1.1	0x5c4e	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.278137922 CET	192.168.2.4	1.1.1.1	0x510a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.286081076 CET	192.168.2.4	1.1.1.1	0x3d9c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:18.303735018 CET	192.168.2.4	1.1.1.1	0xaeb5	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.540858030 CET	192.168.2.4	1.1.1.1	0xad31	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.546272039 CET	192.168.2.4	1.1.1.1	0x75c7	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.547481060 CET	192.168.2.4	1.1.1.1	0x10ac	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:23.555794001 CET	192.168.2.4	1.1.1.1	0xfa2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.564342022 CET	192.168.2.4	1.1.1.1	0xb6ed	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.564754009 CET	192.168.2.4	1.1.1.1	0x9af7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:23.641793013 CET	192.168.2.4	1.1.1.1	0xa294	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:23.864876986 CET	192.168.2.4	1.1.1.1	0xd752	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.868295908 CET	192.168.2.4	1.1.1.1	0x97d4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.876403093 CET	192.168.2.4	1.1.1.1	0x9686	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.878740072 CET	192.168.2.4	1.1.1.1	0xadee	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:23.884850025 CET	192.168.2.4	1.1.1.1	0xee29	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:29.701925993 CET	192.168.2.4	1.1.1.1	0xd50b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:33.033070087 CET	192.168.2.4	1.1.1.1	0xef3b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:33.042149067 CET	192.168.2.4	1.1.1.1	0x14de	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:34.148363113 CET	192.168.2.4	1.1.1.1	0x14ad	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.148765087 CET	192.168.2.4	1.1.1.1	0x32e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.149162054 CET	192.168.2.4	1.1.1.1	0x4f6d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.156634092 CET	192.168.2.4	1.1.1.1	0x9d7f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.157161951 CET	192.168.2.4	1.1.1.1	0x5ed7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.157736063 CET	192.168.2.4	1.1.1.1	0xc846	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.170275927 CET	192.168.2.4	1.1.1.1	0xd16b	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:34.170453072 CET	192.168.2.4	1.1.1.1	0xa8f9	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 27, 2024 08:50:34.170537949 CET	192.168.2.4	1.1.1.1	0x279a	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:34.179382086 CET	192.168.2.4	1.1.1.1	0x714e	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.185909986 CET	192.168.2.4	1.1.1.1	0xce13	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.187664986 CET	192.168.2.4	1.1.1.1	0x81b6	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.193979025 CET	192.168.2.4	1.1.1.1	0x66a6	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.195419073 CET	192.168.2.4	1.1.1.1	0xf87c	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:34.201603889 CET	192.168.2.4	1.1.1.1	0x3abc	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:43.491612911 CET	192.168.2.4	1.1.1.1	0x6737	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.496160030 CET	192.168.2.4	1.1.1.1	0x45f4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.503838062 CET	192.168.2.4	1.1.1.1	0x49e5	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.915095091 CET	192.168.2.4	1.1.1.1	0x8aeb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:43.915673971 CET	192.168.2.4	1.1.1.1	0x2df2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.916395903 CET	192.168.2.4	1.1.1.1	0xf9b5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.924179077 CET	192.168.2.4	1.1.1.1	0x96e2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:50:43.924545050 CET	192.168.2.4	1.1.1.1	0xb337	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 27, 2024 08:50:43.927763939 CET	192.168.2.4	1.1.1.1	0x55a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 08:50:44.029067039 CET	192.168.2.4	1.1.1.1	0xfcc9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:51:04.669720888 CET	192.168.2.4	1.1.1.1	0x1742	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:51:04.680804014 CET	192.168.2.4	1.1.1.1	0xa727	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:51:12.671468019 CET	192.168.2.4	1.1.1.1	0x55d9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:51:46.210707903 CET	192.168.2.4	1.1.1.1	0xced8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:51:46.219268084 CET	192.168.2.4	1.1.1.1	0xa043	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 08:51:46.853710890 CET	192.168.2.4	1.1.1.1	0xcd2f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 08:50:14.938896894 CET	1.1.1.1	192.168.2.4	0x70a1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:14.951191902 CET	1.1.1.1	192.168.2.4	0xf475	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.127429962 CET	1.1.1.1	192.168.2.4	0x605e	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.127898932 CET	1.1.1.1	192.168.2.4	0x691b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:17.127898932 CET	1.1.1.1	192.168.2.4	0x691b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.145108938 CET	1.1.1.1	192.168.2.4	0x8038	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.147779942 CET	1.1.1.1	192.168.2.4	0xc73a	No error (0)	youtube.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.154098988 CET	1.1.1.1	192.168.2.4	0xcaf3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 08:50:17.167473078 CET	1.1.1.1	192.168.2.4	0xd883	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:17.616585970 CET	1.1.1.1	192.168.2.4	0x4e14	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.630114079 CET	1.1.1.1	192.168.2.4	0xb1aa	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.638834000 CET	1.1.1.1	192.168.2.4	0xdd50	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:17.638834000 CET	1.1.1.1	192.168.2.4	0xdd50	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.661906958 CET	1.1.1.1	192.168.2.4	0x6f97	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.670156956 CET	1.1.1.1	192.168.2.4	0x8b5e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:17.670156956 CET	1.1.1.1	192.168.2.4	0x8b5e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:17.682022095 CET	1.1.1.1	192.168.2.4	0x4122	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.108184099 CET	1.1.1.1	192.168.2.4	0xe46d	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.115405083 CET	1.1.1.1	192.168.2.4	0xc2fa	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.115405083 CET	1.1.1.1	192.168.2.4	0xc2fa	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.271769047 CET	1.1.1.1	192.168.2.4	0x9a74	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:18.271769047 CET	1.1.1.1	192.168.2.4	0x9a74	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.272625923 CET	1.1.1.1	192.168.2.4	0x5c4e	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:18.272625923 CET	1.1.1.1	192.168.2.4	0x5c4e	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:18.272625923 CET	1.1.1.1	192.168.2.4	0x5c4e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.285478115 CET	1.1.1.1	192.168.2.4	0x510a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:18.293665886 CET	1.1.1.1	192.168.2.4	0x3d9c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 08:50:18.312413931 CET	1.1.1.1	192.168.2.4	0xaeb5	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:23.549160004 CET	1.1.1.1	192.168.2.4	0xad31	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.552350044 CET	1.1.1.1	192.168.2.4	0x9287	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:23.552350044 CET	1.1.1.1	192.168.2.4	0x9287	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.553658009 CET	1.1.1.1	192.168.2.4	0x75c7	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:23.553658009 CET	1.1.1.1	192.168.2.4	0x75c7	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:23.553658009 CET	1.1.1.1	192.168.2.4	0x75c7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.563957930 CET	1.1.1.1	192.168.2.4	0xfa2	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.571563005 CET	1.1.1.1	192.168.2.4	0xb6ed	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.863006115 CET	1.1.1.1	192.168.2.4	0x77db	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.872134924 CET	1.1.1.1	192.168.2.4	0xd752	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:23.872134924 CET	1.1.1.1	192.168.2.4	0xd752	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.875924110 CET	1.1.1.1	192.168.2.4	0x97d4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:23.884215117 CET	1.1.1.1	192.168.2.4	0x9686	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:28.033659935 CET	1.1.1.1	192.168.2.4	0x28d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:33.041059971 CET	1.1.1.1	192.168.2.4	0xef3b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.155930042 CET	1.1.1.1	192.168.2.4	0x14ad	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.156321049 CET	1.1.1.1	192.168.2.4	0x32e	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:34.156321049 CET	1.1.1.1	192.168.2.4	0x32e	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.156936884 CET	1.1.1.1	192.168.2.4	0x4f6d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:34.156936884 CET	1.1.1.1	192.168.2.4	0x4f6d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164037943 CET	1.1.1.1	192.168.2.4	0x9d7f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.164422035 CET	1.1.1.1	192.168.2.4	0x5ed7	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.165285110 CET	1.1.1.1	192.168.2.4	0xc846	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.177774906 CET	1.1.1.1	192.168.2.4	0x279a	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.178100109 CET	1.1.1.1	192.168.2.4	0xa8f9	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.178220034 CET	1.1.1.1	192.168.2.4	0xd16b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.178220034 CET	1.1.1.1	192.168.2.4	0xd16b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.178220034 CET	1.1.1.1	192.168.2.4	0xd16b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.178220034 CET	1.1.1.1	192.168.2.4	0xd16b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 08:50:34.186656952 CET	1.1.1.1	192.168.2.4	0x714e	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:34.186656952 CET	1.1.1.1	192.168.2.4	0x714e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.186656952 CET	1.1.1.1	192.168.2.4	0x714e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.186656952 CET	1.1.1.1	192.168.2.4	0x714e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.186656952 CET	1.1.1.1	192.168.2.4	0x714e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.193481922 CET	1.1.1.1	192.168.2.4	0xce13	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.194861889 CET	1.1.1.1	192.168.2.4	0x81b6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.194861889 CET	1.1.1.1	192.168.2.4	0x81b6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.194861889 CET	1.1.1.1	192.168.2.4	0x81b6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.194861889 CET	1.1.1.1	192.168.2.4	0x81b6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:34.201057911 CET	1.1.1.1	192.168.2.4	0x66a6	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914428949 CET	1.1.1.1	192.168.2.4	0x45f4	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914458990 CET	1.1.1.1	192.168.2.4	0x49e5	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914458990 CET	1.1.1.1	192.168.2.4	0x49e5	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914490938 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914490938 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914490938 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.914490938 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.923727036 CET	1.1.1.1	192.168.2.4	0x2df2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.924015045 CET	1.1.1.1	192.168.2.4	0xf9b5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.924015045 CET	1.1.1.1	192.168.2.4	0xf9b5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.924015045 CET	1.1.1.1	192.168.2.4	0xf9b5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.924015045 CET	1.1.1.1	192.168.2.4	0xf9b5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:43.926769018 CET	1.1.1.1	192.168.2.4	0xe87b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:43.926769018 CET	1.1.1.1	192.168.2.4	0xe87b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:50:45.177861929 CET	1.1.1.1	192.168.2.4	0xabe5	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:50:45.177861929 CET	1.1.1.1	192.168.2.4	0xabe5	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:51:04.677778959 CET	1.1.1.1	192.168.2.4	0x1742	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:51:12.658240080 CET	1.1.1.1	192.168.2.4	0x9cf7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:51:46.218305111 CET	1.1.1.1	192.168.2.4	0xced8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:51:46.861737967 CET	1.1.1.1	192.168.2.4	0xcd2f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 08:51:46.861737967 CET	1.1.1.1	192.168.2.4	0xcd2f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7736	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:17.168428898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:17.764156103 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65160 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	34.107.221.82	80	7736	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:18.281537056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:18.871923923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69025 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	7736	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:18.672089100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:19.270035028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65162 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:20.093660116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:20.219445944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65163 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:23.859636068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:23.984499931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65166 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:28.023369074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:28.148173094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65171 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:29.700238943 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:29.825301886 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65172 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:30.706779957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:30.831588030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65173 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:33.649023056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:33.773701906 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65176 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:43.774435997 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:50:44.548680067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:44.673412085 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65187 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:45.164863110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:50:45.291419029 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65188 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:50:55.306821108 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:05.296240091 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:51:05.421010971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65208 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:51:05.828326941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:51:05.953330994 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65208 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:51:13.298966885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:51:13.423947096 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:51:23.435877085 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:33.453195095 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:43.460592985 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:46.853487968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 08:51:46.978364944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 65249 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 08:51:56.984306097 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:52:06.996932030 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:52:17.017517090 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	7736	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:19.892628908 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	34.107.221.82	80	7736	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:20.316987038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:20.920659065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69027 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:28.010430098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:28.136929989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69035 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:28.356703997 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:28.483114958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69035 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:30.620373964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:30.746711016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69037 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:30.913183928 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:31.231498003 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69038 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:33.776956081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:33.903862953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69040 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:43.905950069 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:50:44.681241989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:44.808243036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69051 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:45.300029039 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:50:45.427922010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:50:55.438544035 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:05.424150944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:51:05.550889015 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69072 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:51:05.959570885 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:51:06.086427927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69073 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:51:13.434083939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:51:13.560830116 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69080 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:51:23.573856115 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:33.584758043 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:43.598601103 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:51:46.981832981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 08:51:47.108863115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 69114 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 08:51:57.122215986 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:52:07.128415108 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 08:52:17.149076939 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	03:50:06
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf40000
File size:	919'552 bytes
MD5 hash:	089D8306A0EB1989D38E3CE159191F66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:50:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:50:06
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:50:11
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7c5687c-def4-45c9-ae4a-1b0aa07de766} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 298f5c6ed10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:50:14
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4232 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55fd1972-1430-4133-9bd8-75ac33fba38e} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29887e24510 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	03:50:23
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3536 -prefMapHandle 3456 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76630401-2e09-4eaa-8952-b3400db86ea9} 7736 "\\.\pipe\gecko-crash-server-pipe.7736" 29891abbf10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1512
Total number of Limit Nodes:	49

Executed Functions

Function 00F442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F4430D

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

GetCurrentProcess.KERNEL32(?,00FDCB64,00000000,?,?), ref: 00F44422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F44429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F44454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F44466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F44474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F4447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F444A0

Strings

GetNativeSystemInfo, xrefs: 00F44460
kernel32.dll, xrefs: 00F4444F
|O, xrefs: 00F836F8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3eab2f802f75b05aab0b81b177b8ddc868b6c72125f2d90263474d7772b0aa1e
Instruction ID: 14630d77ec1a4b64a012bad7885a74c53993b67a21a0dd8b5698340102c32e4a
Opcode Fuzzy Hash: 3eab2f802f75b05aab0b81b177b8ddc868b6c72125f2d90263474d7772b0aa1e
Instruction Fuzzy Hash: 69A1B472D0E2D0CFCB39D7B974443D97FA56B26710B08C49ADAC1A3A1DD23E4504EBA6

Function 00F442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F450AA,?,?,00000000,00000000), ref: 00F442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F450AA,?,?,00000000,00000000), ref: 00F442C9
LoadResource.KERNEL32(?,00000000,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20), ref: 00F835BE
SizeofResource.KERNEL32(?,00000000,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20), ref: 00F835D3
LockResource.KERNEL32(00F450AA,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20,?), ref: 00F835E6

Strings

SCRIPT, xrefs: 00F442BF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fe9827511fa045c2ccf0b36986e500e8b35bdd9fb3785011b402064a32526db5
Instruction ID: ddeac63ebe8e6ab888f3b0f1d77a976cca031e0dc745ddc9f0d31ef7a6d71be2
Opcode Fuzzy Hash: fe9827511fa045c2ccf0b36986e500e8b35bdd9fb3785011b402064a32526db5
Instruction Fuzzy Hash: 6611A070201705BFDB219B65DC48F277BBAEBC5B51F14416EF80296290DBB1E900E670

Function 00F82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F42B6B

Part of subcall function 00F43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01011418,?,00F42E7F,?,?,?,00000000), ref: 00F43A78

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01002224), ref: 00F82C10
ShellExecuteW.SHELL32(00000000,?,?,01002224), ref: 00F82C17

Strings

runas, xrefs: 00F82C0B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 54758c2e918fa6cfe154a183afe32d8a7667982ebb267bcc464f1d01b1e7890b
Instruction ID: c1bfc26a655c4e8e7d548508dff09e0175b1bf12f3b02c610c0319b73f299c37
Opcode Fuzzy Hash: 54758c2e918fa6cfe154a183afe32d8a7667982ebb267bcc464f1d01b1e7890b
Instruction Fuzzy Hash: 3711DF326483056AD718FF70DC459BEBFA4ABD1710F84042DBA82020A2CF798A49F752

Function 00FAD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD501
Process32FirstW.KERNEL32(00000000,?), ref: 00FAD50F
Process32NextW.KERNEL32(00000000,?), ref: 00FAD52F
CloseHandle.KERNELBASE(00000000), ref: 00FAD5DC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ed6dd095aaa7d80722cd1135db654885e413397cc9d6e2fa455f205aa64315ff
Instruction ID: 86dbe5d7dffcf6ca3a39c837b911d9ab6062e2c53c4fe6632e02137b5aef909c
Opcode Fuzzy Hash: ed6dd095aaa7d80722cd1135db654885e413397cc9d6e2fa455f205aa64315ff
Instruction Fuzzy Hash: 4931A4725083019FD301EF64CC85AAFBFF8EF99354F54052DF582861A2EB719944EB92

Function 00FADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00F85222), ref: 00FADBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FADBDD
FindFirstFileW.KERNEL32(?,?), ref: 00FADBEE
FindClose.KERNEL32(00000000), ref: 00FADBFA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction ID: acc7ca44ab39bb7fc557dd691eb8cb4a79fdd730709a2690f123791c41f57830
Opcode Fuzzy Hash: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction Fuzzy Hash: FAF0A0718119295782206B78AC0D8AA376E9E02335B904713F876C24E0EBB45D54F6D5

Function 00F64CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000,?,00F728E9), ref: 00F64D09
TerminateProcess.KERNEL32(00000000,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000,?,00F728E9), ref: 00F64D10
ExitProcess.KERNEL32 ref: 00F64D22

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cf9ccd97602c4055365abd349c6396fa8fd128669eb6480e774fa6337960fd79
Instruction ID: 3133ef2294daa6f8199b7e2d728d350f7952f44a82deacda00f29ce0beb75c67
Opcode Fuzzy Hash: cf9ccd97602c4055365abd349c6396fa8fd128669eb6480e774fa6337960fd79
Instruction Fuzzy Hash: 43E0B631801149ABCF11BF64DD09E583B6AEB41791F108015FC498B122CB39ED42FA80

Function 00FCAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FCB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB1D4
_wcslen.LIBCMT ref: 00FCB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB236
_wcslen.LIBCMT ref: 00FCB332

Part of subcall function 00FB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FB05C6

_wcslen.LIBCMT ref: 00FCB34B
_wcslen.LIBCMT ref: 00FCB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FCB3B6
GetLastError.KERNEL32(00000000), ref: 00FCB407
CloseHandle.KERNEL32(?), ref: 00FCB439
CloseHandle.KERNEL32(00000000), ref: 00FCB44A
CloseHandle.KERNEL32(00000000), ref: 00FCB45C
CloseHandle.KERNEL32(00000000), ref: 00FCB46E
CloseHandle.KERNEL32(?), ref: 00FCB4E3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f7928bf6fe3df67db78e563b9828ae4a3d902b95c59ab6641694e93b4125c0bd
Instruction ID: 8521bc5cf5a27eb16b0fb9c49dc621bc04a83736aac731c7563d369096a525b9
Opcode Fuzzy Hash: f7928bf6fe3df67db78e563b9828ae4a3d902b95c59ab6641694e93b4125c0bd
Instruction Fuzzy Hash: 4EF1A0359083419FC715EF24C982F6EBBE5AF85320F18855DF8959B2A2CB35EC04EB52

Function 00F4D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F4D807
timeGetTime.WINMM ref: 00F4DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4DB28
TranslateMessage.USER32(?), ref: 00F4DB7B
DispatchMessageW.USER32(?), ref: 00F4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4DB9F
Sleep.KERNELBASE(0000000A), ref: 00F4DBB1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5b630ebc61362693f735c8cb46496293a46e8c23f93418db505e04a1ff0422eb
Instruction ID: e41e4fe621a5378d6e75ded7cc0740b62f82047b39667d9864c86dc36aa478c6
Opcode Fuzzy Hash: 5b630ebc61362693f735c8cb46496293a46e8c23f93418db505e04a1ff0422eb
Instruction Fuzzy Hash: C0420731A04342EFEB38CF24C884B6ABBE1FF85314F14455EE99587291D779E844EB82

Function 00F42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F42D07
RegisterClassExW.USER32(00000030), ref: 00F42D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42D42
InitCommonControlsEx.COMCTL32(?), ref: 00F42D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42D6F
LoadIconW.USER32(000000A9), ref: 00F42D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42D94

Strings

AutoIt v3 GUI, xrefs: 00F42D23
+, xrefs: 00F42CF0
TaskbarCreated, xrefs: 00F42D37
0, xrefs: 00F42CE9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: bc6fe9b46870570ace6ddfea63f0069d9326b995ea123261da0bc14149c21db1
Instruction ID: 26f480534a016b680239f3948e77422de1fa66d19b074e69df12a1f20b8db450
Opcode Fuzzy Hash: bc6fe9b46870570ace6ddfea63f0069d9326b995ea123261da0bc14149c21db1
Instruction Fuzzy Hash: 1A21E3B190220DAFDB10DFA4E849BDDBBBAFB08700F00811AF661A7294D7BA4544DF91

Function 00F8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F80704,?,?,00000000,?,00F80704,00000000,0000000C), ref: 00F803B7

GetLastError.KERNEL32 ref: 00F8076F
__dosmaperr.LIBCMT ref: 00F80776
GetFileType.KERNELBASE(00000000), ref: 00F80782
GetLastError.KERNEL32 ref: 00F8078C
__dosmaperr.LIBCMT ref: 00F80795
CloseHandle.KERNEL32(00000000), ref: 00F807B5
CloseHandle.KERNEL32(?), ref: 00F808FF
GetLastError.KERNEL32 ref: 00F80931
__dosmaperr.LIBCMT ref: 00F80938

Strings

H, xrefs: 00F808BD

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cb8940390dc66c953c226a9c4411643683cb47f082af3e68ad624fcfaf66e974
Instruction ID: 31cc49fb1425f4d087f99ef952f44560fab08f21a9a3d5120968919bde54d772
Opcode Fuzzy Hash: cb8940390dc66c953c226a9c4411643683cb47f082af3e68ad624fcfaf66e974
Instruction Fuzzy Hash: 8BA13732A001088FDF19EF78DC56BEE3BA1AB06320F14015DF8559B391DB399D5AEB91

Function 00F4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01011418,?,00F42E7F,?,?,?,00000000), ref: 00F43A78

Part of subcall function 00F43357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F43379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F4356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F8318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F831CE
RegCloseKey.ADVAPI32(?), ref: 00F83210
_wcslen.LIBCMT ref: 00F83277
_wcslen.LIBCMT ref: 00F83286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F43560
Include, xrefs: 00F83184, 00F831C5
\Include\, xrefs: 00F43527
\, xrefs: 00F8328C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6603388ad628de7e8244cea0d7cfc93d88eab2be7dc3868df8c6d9999bda4f87
Instruction ID: c619d02b1abb6af08341a80dbb28108bba09ee72f8b6b27b5fd6793808d93cc0
Opcode Fuzzy Hash: 6603388ad628de7e8244cea0d7cfc93d88eab2be7dc3868df8c6d9999bda4f87
Instruction Fuzzy Hash: 8071E2714043019FC324EF29DC829ABBBE8FF85750F50442EF984D3265EB799A48EB52

Function 00F42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F42B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F42B9D
LoadIconW.USER32(00000063), ref: 00F42BB3
LoadIconW.USER32(000000A4), ref: 00F42BC5
LoadIconW.USER32(000000A2), ref: 00F42BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F42BEF
RegisterClassExW.USER32(?), ref: 00F42C40

Part of subcall function 00F42CD4: GetSysColorBrush.USER32(0000000F), ref: 00F42D07
Part of subcall function 00F42CD4: RegisterClassExW.USER32(00000030), ref: 00F42D31
Part of subcall function 00F42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42D42
Part of subcall function 00F42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F42D5F
Part of subcall function 00F42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42D6F
Part of subcall function 00F42CD4: LoadIconW.USER32(000000A9), ref: 00F42D85
Part of subcall function 00F42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42D94

Strings

#, xrefs: 00F42C16
AutoIt v3, xrefs: 00F42C2F
0, xrefs: 00F42C0F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2a8e9eda2acd0cfb29f402380fecaca6c7a618b6d9300f0e93367094ff9af451
Instruction ID: eaf99bb1a787bb583df26aea5110284062c5bcf8b3bbf1f29ca217747e8774f9
Opcode Fuzzy Hash: 2a8e9eda2acd0cfb29f402380fecaca6c7a618b6d9300f0e93367094ff9af451
Instruction Fuzzy Hash: 74212C70E02318ABDB249FB5EC55B9DBFB6FB48B50F04801AF640A6698D7BE1540DF90

Function 00F43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F4316A,?,?), ref: 00F431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F4316A,?,?), ref: 00F43204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F43227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F4316A,?,?), ref: 00F43232
CreatePopupMenu.USER32 ref: 00F43246
PostQuitMessage.USER32(00000000), ref: 00F43267

Strings

TaskbarCreated, xrefs: 00F4322D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e65385e8955456327e4630ea1d8b6e4dd3b87824e952f0e35780219640353318
Instruction ID: 9f0cf0e1094c82c9b0df1efbe4c77e4067c34f6102db69fe15ecc96d5b9eff6b
Opcode Fuzzy Hash: e65385e8955456327e4630ea1d8b6e4dd3b87824e952f0e35780219640353318
Instruction Fuzzy Hash: 7F412A32A40205A7DF282B78DC49BB93F16F745314F044115FE52C6199DBBD9B40F7A1

Function 00F41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F41459
CoUninitialize.COMBASE ref: 00F414F8
UnregisterHotKey.USER32(?), ref: 00F416DD
DestroyWindow.USER32(?), ref: 00F824B9
FreeLibrary.KERNEL32(?), ref: 00F8251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F8254B

Strings

close all, xrefs: 00F41454

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: cb96474ef5e5d58b5f6bf82506df4ff0b4955497547e266b51cdc866332a7e31
Instruction ID: 68384b04a19701a20b3298f89d5c68e29825b492da2916fcf0677328c8a38e18
Opcode Fuzzy Hash: cb96474ef5e5d58b5f6bf82506df4ff0b4955497547e266b51cdc866332a7e31
Instruction Fuzzy Hash: 6DD1C231B01212CFCB19EF14C899B69FBA0BF05310F18429DE94A6B252DB30ED56EF91

Function 00F42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F42C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F42CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41CAD,?), ref: 00F42CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41CAD,?), ref: 00F42CCF

Strings

edit, xrefs: 00F42CAC
AutoIt v3, xrefs: 00F42C89, 00F42C8E, 00F42C8F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 07f97bca76fe0f59b67447f7abfd38f7655422245ecbdb46dd1dab74bcba211a
Instruction ID: fbd790184b5c74c88189b3b4e00c0e437cfaf97a076835d77655cf24eb7d5422
Opcode Fuzzy Hash: 07f97bca76fe0f59b67447f7abfd38f7655422245ecbdb46dd1dab74bcba211a
Instruction Fuzzy Hash: EAF03A755402947AEB300733AC08E777EBED7C6F50B00811AFA00A3298C27A0840EBB1

Function 00F43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B83

Strings

Control Panel\Mouse, xrefs: 00F43B3E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction ID: adcf170065dcfbad44a75d8e93ae4130ba374d9773e8371b9d1861694a3e945d
Opcode Fuzzy Hash: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction Fuzzy Hash: E9112AB5511208FFDB218FA5DC48AAEBBB8EF44754B10855AA805D7110D2319E44A7A0

Function 00F43923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F833A2

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F43A04

Strings

Line: , xrefs: 00F833EB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e370f5d20e14f0adf3037d24527b176740669e61ad377f002a80829b037f4522
Instruction ID: e64fb147b09b01f56db155d79f4c3f31140d89102da58714a08bd718d3a1d5d8
Opcode Fuzzy Hash: e370f5d20e14f0adf3037d24527b176740669e61ad377f002a80829b037f4522
Instruction Fuzzy Hash: AF31D471808304AAD725EB20DC45BEBBBD8AF41720F10452EF9D983195EB789749D7C3

Function 00F42DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F82C8C

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00F42DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F42DC4

Strings

`e, xrefs: 00F82C85
X, xrefs: 00F82C5A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-1218242589
Opcode ID: 767cd969f03e45213234631ff025c2efa993aff1998d2f6227f0a6dcaa8ee9c7
Instruction ID: f7da965bfae1dd7524a58ed5ba38384372d312c340eea460530e24ccfaa671fb
Opcode Fuzzy Hash: 767cd969f03e45213234631ff025c2efa993aff1998d2f6227f0a6dcaa8ee9c7
Instruction Fuzzy Hash: E221F371A002589BDB41EF94CC05BEE7BFDAF49314F008019E905F7281DBB85A49DFA1

Function 00F5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F60668

Part of subcall function 00F632A4: RaiseException.KERNEL32(?,?,?,00F6068A,?,01011444,?,?,?,?,?,?,00F6068A,00F41129,01008738,00F41129), ref: 00F63304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F60685

Strings

Unknown exception, xrefs: 00F60692

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: eef2f9384be65e4dc6854f2d7c8d3845d73c53a44ca1a1644308e66e2384d770
Instruction ID: dd679571e1c008ff306e464526bd0ae69ce740b3eb9bdf8c770a8ea308dc4aa0
Opcode Fuzzy Hash: eef2f9384be65e4dc6854f2d7c8d3845d73c53a44ca1a1644308e66e2384d770
Instruction Fuzzy Hash: 45F02234C0020D738B00BAA4DC46C9E777C6E00320B708075BA1486592EF36EA29F9C0

Function 00F410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F41BF4
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F41BFC
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F41C07
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F41C12
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F41C1A
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F41C22

Part of subcall function 00F41B4A: RegisterWindowMessageW.USER32(00000004,?,00F412C4), ref: 00F41BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F4136A
OleInitialize.OLE32 ref: 00F41388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F824AB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 57b628b232393496ef77dbbec8b7080ea361939d33b595c54f8899e1ed1d9f22
Instruction ID: 121ad25a822267d8d7c9de01b7ff72ec6a18089f153e48b97b7282cc53623987
Opcode Fuzzy Hash: 57b628b232393496ef77dbbec8b7080ea361939d33b595c54f8899e1ed1d9f22
Instruction Fuzzy Hash: D671BBB4912301CFC7ACEF79E8556553EE1FB48344358822AEA8AC7349EB3E4445DF85

Function 00FAC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F43A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FAC259
KillTimer.USER32(?,00000001,?,?), ref: 00FAC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FAC270

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: dfdb6b0fadf822514d8ee2cb58a2caea09522412e1ab200274ecc56951294f2e
Instruction ID: b6921d79140664026b24332c7de3b70c721cec3cd5467f220f6348e13b8cab0e
Opcode Fuzzy Hash: dfdb6b0fadf822514d8ee2cb58a2caea09522412e1ab200274ecc56951294f2e
Instruction Fuzzy Hash: 773193B1904344AFEB329F748855BEBBBEC9F07704F00449AD6DAA7241C7785A84DB91

Function 00F786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00F785CC,?,01008CC8,0000000C), ref: 00F78704
GetLastError.KERNEL32(?,00F785CC,?,01008CC8,0000000C), ref: 00F7870E
__dosmaperr.LIBCMT ref: 00F78739

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 794857eef6db3907d7aee204e7086d6ccefb73f97c397074ca5e219c4f8a6ac1
Instruction ID: 671ee9647dbb591a51ef233572d24877d28a65b0c7f86e9e6536551efa7e04be
Opcode Fuzzy Hash: 794857eef6db3907d7aee204e7086d6ccefb73f97c397074ca5e219c4f8a6ac1
Instruction Fuzzy Hash: 02010C32E4552036D6646234AC4E76E77474B81BB4F25811BF81D8B1E2DDA99C83B192

Function 00F4DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F4DB7B
DispatchMessageW.USER32(?), ref: 00F4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4DB9F
Sleep.KERNELBASE(0000000A), ref: 00F4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00F91CC9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 29aea6348a7b7db15afebb000a3860e3cf9035c5ebdb2c76967c113cff1d8fd5
Instruction ID: 32250e4e57f479cc3011e2b8481fb4bb4f483942e0226d39d3c282a0d44d8d47
Opcode Fuzzy Hash: 29aea6348a7b7db15afebb000a3860e3cf9035c5ebdb2c76967c113cff1d8fd5
Instruction Fuzzy Hash: 39F0FE31A453459BEB34CBB0DC49FEA77ADEB85321F104619EA5A930C0DB349488EB55

Function 00F51310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F517F6

Strings

CALL, xrefs: 00F517C6

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ce9ea8761e8ba3d505eaa4ca3f42ed8a71e504fdfe800e8902b81b681ce06d72
Instruction ID: fccd0e1300e8271cdae6ee8785ce78ced98940cb6d16c641a2e5992196a72d15
Opcode Fuzzy Hash: ce9ea8761e8ba3d505eaa4ca3f42ed8a71e504fdfe800e8902b81b681ce06d72
Instruction Fuzzy Hash: 2922AE706083019FD714DF14C880B2ABBF1BF85315F28895DFA968B362D775E949EB82

Function 00F43837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43908

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9216e0dc693032d62c3951d5aa8e69cef5c5095bff9827660d7d65e360ea6b52
Instruction ID: 57f31cb68d9f8b8b66233c4c2ec40c17df4d850db9a2535b5913391dcc746f3e
Opcode Fuzzy Hash: 9216e0dc693032d62c3951d5aa8e69cef5c5095bff9827660d7d65e360ea6b52
Instruction Fuzzy Hash: 883191B1A057019FD720DF34D885797BBE8FB49718F00092EFAD983240E779AA44DB92

Function 00F5F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F5F661

Part of subcall function 00F4D730: GetInputState.USER32 ref: 00F4D807

Sleep.KERNEL32(00000000), ref: 00F9F2DE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f6b8b3f69c2ac452636db743106dc82c9e4b60f9fb7dd8337ac4d0754da4965e
Instruction ID: 4018a114ae1efb8e57afea0c86b8da4ffad91eede14ed56cb5f38140076bd916
Opcode Fuzzy Hash: f6b8b3f69c2ac452636db743106dc82c9e4b60f9fb7dd8337ac4d0754da4965e
Instruction Fuzzy Hash: E3F08C31240205AFD310EF79D949B6ABBE9EF45761F00002AEC5DC73A1DB70A804EB90

Function 00F44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F44E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E9C
Part of subcall function 00F44E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F44EAE
Part of subcall function 00F44E90: FreeLibrary.KERNEL32(00000000,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EFD

Part of subcall function 00F44E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E62
Part of subcall function 00F44E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F44E74
Part of subcall function 00F44E59: FreeLibrary.KERNEL32(00000000,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E87

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d2be285a3b9eb823c8ccf981ba7d829b146dccf025dff03cdce7178e1e99711b
Instruction ID: 613d0955fff5b5ad64d9ed7b2822cefb4c4707471a1295a265147d3c304b84b8
Opcode Fuzzy Hash: d2be285a3b9eb823c8ccf981ba7d829b146dccf025dff03cdce7178e1e99711b
Instruction Fuzzy Hash: 3211E732600205ABDB14BB64DC12FAD7BA59F40B21F10442EF942BB1D1EE78EA49B750

Function 00F78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F78440

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 964fb2b86e3d6e090de3d399e9523f6be7f68e02fdb5f6291bfe0e1f23ffa360
Instruction ID: 2d69023622c306ac39d0aacb754deab0e42c79e2874a7b261c6a0c2123c8bea7
Opcode Fuzzy Hash: 964fb2b86e3d6e090de3d399e9523f6be7f68e02fdb5f6291bfe0e1f23ffa360
Instruction Fuzzy Hash: 7211487290410AAFCB05DF58E9449DA7BF4EF48310F10805AF808AB302DA71DA22DBA5

Function 00F6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 37206187bc103e4e938d89441f8c8fbb415097856bc234f17263954e0f569764
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F02837920A14AAC7313A79DC05B9A33989F52370F104716F428931D2CB79E802BAA7

Function 00F73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction ID: 2859c685d0e1aac5db65f833166ad15ccd352d2fff28d117eb877c9bf66f9bf3
Opcode Fuzzy Hash: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction Fuzzy Hash: 35E0E533901225B6D7312A779C00F9A3749AB427B0F058123FC0C92581CB35ED01B2E3

Function 00F44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44F6D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 995df5eb137c8dbb002e2ab4377d792b381495f3d70b3764f3e3c1b14f6ed679
Instruction ID: e72bbd7f4917d05d6004cd7bc0aa7b07332eec3cceb31b70a21e35284959f45e
Opcode Fuzzy Hash: 995df5eb137c8dbb002e2ab4377d792b381495f3d70b3764f3e3c1b14f6ed679
Instruction Fuzzy Hash: 25F03071505752CFDB349F64D490A12BBE4AF14339310897EE5EA93621C731A848EF50

Function 00FD2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FD2A66

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 72ec9630c45b05dfe24672a9a249b06059a5451d41356843cfd8d4e8e5708998
Instruction ID: 45f4b5cef8eda18d62a6b88aca9615e8e6d5b429c1a9a333903e09e47fc04d85
Opcode Fuzzy Hash: 72ec9630c45b05dfe24672a9a249b06059a5451d41356843cfd8d4e8e5708998
Instruction Fuzzy Hash: 16E04F76750116AAC754EA30DC809FAB35DEBA53957144537BC1AC2200EF38D995A6E0

Function 00F430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F4314E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3dead3d2de4219ffcd5eb8a7d09a9710616f5600c50a5a9b09e8f0c527b202f9
Instruction ID: 1eeac119d14c7adffb01acb5480ee72efcfab2e13b9ccec467ce2cbf91881344
Opcode Fuzzy Hash: 3dead3d2de4219ffcd5eb8a7d09a9710616f5600c50a5a9b09e8f0c527b202f9
Instruction Fuzzy Hash: D7F037709143189FE766DB34DC467D57BBCA701708F0041E5A68897289D7795788CF51

Function 00F42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F42DC4

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 008b1128b9ccd91229734f1e56621e6c534da381b89f32efd4908ac38dce27de
Instruction ID: e827320d657921cb0f9e35302535a45557cc1f6af4e5e8d0e283039cffd3f5bb
Opcode Fuzzy Hash: 008b1128b9ccd91229734f1e56621e6c534da381b89f32efd4908ac38dce27de
Instruction Fuzzy Hash: 9DE0CD726001245BCB10A2589C05FDA77DDDFC8790F050171FD09D7248D964AD80D691

Function 00F42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43908

Part of subcall function 00F4D730: GetInputState.USER32 ref: 00F4D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F42B6B

Part of subcall function 00F430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F4314E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: a8e89473aed9b1689b53b52f5a05405309c5514c778fc16575e5dfe05d44d47e
Instruction ID: 2a7d92780a097ec0db23bdf8e530bd0af20481c4cd99f79df6c08937a8cb4453
Opcode Fuzzy Hash: a8e89473aed9b1689b53b52f5a05405309c5514c778fc16575e5dfe05d44d47e
Instruction Fuzzy Hash: ADE0263270420803CA08BB349C124ADBF599BD1325F40063EFA8243153CE7D4545A351

Function 00F8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F80704,?,?,00000000,?,00F80704,00000000,0000000C), ref: 00F803B7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction ID: 6455ad5c8e1f9e05a08a724c47af2d149001a7811f6eff808fb6ee5fd8f57987
Opcode Fuzzy Hash: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction Fuzzy Hash: 32D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821EB90

Function 00F41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F41CBC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7936bed9744987f5e641216f87b2ea21c998ed9ef02ddea1917a639e58435b2a
Instruction ID: 2109a1b200781b2250a680016a320f372cbe500093a10296639a14713d270f4f
Opcode Fuzzy Hash: 7936bed9744987f5e641216f87b2ea21c998ed9ef02ddea1917a639e58435b2a
Instruction Fuzzy Hash: E2C09B35280305DFF7244790BC4AF107755E348B04F148101F749555D7C7BB1450E750

Non-executed Functions

Function 00FD9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FD961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FD969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD96C9
SendMessageW.USER32 ref: 00FD96F2
GetKeyState.USER32(00000011), ref: 00FD978B
GetKeyState.USER32(00000009), ref: 00FD9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD97AE
GetKeyState.USER32(00000010), ref: 00FD97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD97E9
SendMessageW.USER32 ref: 00FD9810
SendMessageW.USER32(?,00001030,?,00FD7E95), ref: 00FD9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FD992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FD9941
SetCapture.USER32(?), ref: 00FD994A
ClientToScreen.USER32(?,?), ref: 00FD99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FD99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD99D6
ReleaseCapture.USER32 ref: 00FD99E1
GetCursorPos.USER32(?), ref: 00FD9A19
ScreenToClient.USER32(?,?), ref: 00FD9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9A80
SendMessageW.USER32 ref: 00FD9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD9AEB
SendMessageW.USER32 ref: 00FD9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FD9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FD9B4A
GetCursorPos.USER32(?), ref: 00FD9B68
ScreenToClient.USER32(?,?), ref: 00FD9B75
GetParent.USER32(?), ref: 00FD9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9BFA
SendMessageW.USER32 ref: 00FD9C2B
ClientToScreen.USER32(?,?), ref: 00FD9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FD9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD9CDE
SendMessageW.USER32 ref: 00FD9D01
ClientToScreen.USER32(?,?), ref: 00FD9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FD9D82

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

GetWindowLongW.USER32(?,000000F0), ref: 00FD9E05

Strings

F, xrefs: 00FD9D07
@GUI_DRAGID, xrefs: 00FD997D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 27a0a9db015d5ea62a133c32901ea9269f5fbc3bca372b7f9a122f5a18d98ec2
Instruction ID: e342726cd647734faa91a90720e841b3d13a99e7a665a099bae5bdf37ada862c
Opcode Fuzzy Hash: 27a0a9db015d5ea62a133c32901ea9269f5fbc3bca372b7f9a122f5a18d98ec2
Instruction Fuzzy Hash: DB429135609201AFD724CF64CC44BAABBE6FF48320F18061AF699973A1D7B5D850EF91

Function 00FD4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FD48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FD4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FD4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FD494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FD495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FD497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FD49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FD49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FD4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD4A7E
IsMenu.USER32(?), ref: 00FD4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FD4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FD4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FD4C82
wsprintfW.USER32 ref: 00FD4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4D5A

Strings

%d/%02d/%02d, xrefs: 00FD4CA8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 11cd0ecf4ae67bf1c7c07ed648b736b7ae4595019019bf7910d0275d4705b434
Instruction ID: 7a90924d248ca8e87de8d18db6ac8cfc59924c85f7f91e325efb8e20cb9ccb5c
Opcode Fuzzy Hash: 11cd0ecf4ae67bf1c7c07ed648b736b7ae4595019019bf7910d0275d4705b434
Instruction Fuzzy Hash: 0412F431900219ABEB258F34CC49FAE7BFAEF45710F18411AF919DB2E1DB74A941EB50

Function 00F5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F5F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F9F474
IsIconic.USER32(00000000), ref: 00F9F47D
ShowWindow.USER32(00000000,00000009), ref: 00F9F48A
SetForegroundWindow.USER32(00000000), ref: 00F9F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F9F4AA
GetCurrentThreadId.KERNEL32 ref: 00F9F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F9F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F9F4DE
SetForegroundWindow.USER32(00000000), ref: 00F9F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F4F6
keybd_event.USER32(00000012,00000000), ref: 00F9F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F50B
keybd_event.USER32(00000012,00000000), ref: 00F9F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F519
keybd_event.USER32(00000012,00000000), ref: 00F9F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F528
keybd_event.USER32(00000012,00000000), ref: 00F9F52D
SetForegroundWindow.USER32(00000000), ref: 00F9F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F9F557

Strings

Shell_TrayWnd, xrefs: 00F9F46F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d4b7d59ccd38e4c2d3afb60387ea61ba1c7eaa5b983728562ca50530a4f659e4
Instruction ID: c4ba8ff6675131e0c921af686dac36469201159685fad5193a2758345376fd76
Opcode Fuzzy Hash: d4b7d59ccd38e4c2d3afb60387ea61ba1c7eaa5b983728562ca50530a4f659e4
Instruction Fuzzy Hash: 8A316D71A4021DBAFF206BB59C4AFBF7F6DEB44B50F150066FA04E61D1C6B19900FAA0

Function 00FA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
Part of subcall function 00FA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
Part of subcall function 00FA16C3: GetLastError.KERNEL32 ref: 00FA174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FA1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FA12A8
CloseHandle.KERNEL32(?), ref: 00FA12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FA12D1
GetProcessWindowStation.USER32 ref: 00FA12EA
SetProcessWindowStation.USER32(00000000), ref: 00FA12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FA1310

Part of subcall function 00FA10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA11FC), ref: 00FA10D4
Part of subcall function 00FA10BF: CloseHandle.KERNEL32(?,?,00FA11FC), ref: 00FA10E9

Strings

, xrefs: 00FA125A
winsta0, xrefs: 00FA12CC
default, xrefs: 00FA130B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c99a454907ce6af8d52debb64db713bcbca0a92f1b88439dde03ddd9a0d362aa
Instruction ID: 435ece3aa6e322f80d7e5e1f6c62a1c70fd5a45b25b95e4b62f1c9ed35fad063
Opcode Fuzzy Hash: c99a454907ce6af8d52debb64db713bcbca0a92f1b88439dde03ddd9a0d362aa
Instruction Fuzzy Hash: 7A818EB1900209ABDF21DFA8DC49BEE7BB9FF0A714F15412AF911A61A0C7349954EB60

Function 00FA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
Part of subcall function 00FA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
Part of subcall function 00FA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
Part of subcall function 00FA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0C00
GetLengthSid.ADVAPI32(?), ref: 00FA0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0C6D
GetLengthSid.ADVAPI32(?), ref: 00FA0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FA0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0CB4
CopySid.ADVAPI32(00000000), ref: 00FA0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D45
HeapFree.KERNEL32(00000000), ref: 00FA0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D55
HeapFree.KERNEL32(00000000), ref: 00FA0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D65
HeapFree.KERNEL32(00000000), ref: 00FA0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0D78
HeapFree.KERNEL32(00000000), ref: 00FA0D7F

Part of subcall function 00FA1193: GetProcessHeap.KERNEL32(00000008,00FA0BB1,?,00000000,?,00FA0BB1,?), ref: 00FA11A1
Part of subcall function 00FA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0BB1,?), ref: 00FA11A8
Part of subcall function 00FA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0BB1,?), ref: 00FA11B7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction ID: 47b2bd3916e254f9d335712548dfd608ba3b58882dfebdc9c79ebbeba56996cf
Opcode Fuzzy Hash: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction Fuzzy Hash: 85718DB2D0121AABDF10DFA5EC48FAEBBB9BF05320F044115F914E7191DB71A905EBA0

Function 00FBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FDCC08), ref: 00FBEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FBEB37
GetClipboardData.USER32(0000000D), ref: 00FBEB43
CloseClipboard.USER32 ref: 00FBEB4F
GlobalLock.KERNEL32(00000000), ref: 00FBEB87
CloseClipboard.USER32 ref: 00FBEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FBEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FBEBC9
GetClipboardData.USER32(00000001), ref: 00FBEBD1
GlobalLock.KERNEL32(00000000), ref: 00FBEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FBEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FBEC38
GetClipboardData.USER32(0000000F), ref: 00FBEC44
GlobalLock.KERNEL32(00000000), ref: 00FBEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FBEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FBECF3
CountClipboardFormats.USER32 ref: 00FBED14
CloseClipboard.USER32 ref: 00FBED59

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f81479e21c723ff0c38e683471f668a8db877c089adce0c800d47047a0ab90f5
Instruction ID: c6570a1fa8b45626724ce438ecbf471b219ce1bd32f1668fbea05980787b2827
Opcode Fuzzy Hash: f81479e21c723ff0c38e683471f668a8db877c089adce0c800d47047a0ab90f5
Instruction Fuzzy Hash: FF61D2352042069FD300EF25CC84FAABBE9AF84714F14851EF856972A2CB71DD05EFA2

Function 00FB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB69BE
FindClose.KERNEL32(00000000), ref: 00FB6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB6A75

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FB6B6A
%4d, xrefs: 00FB6BB1
%03d, xrefs: 00FB6DA2
%02d, xrefs: 00FB6C00, 00FB6C0A, 00FB6C5A, 00FB6CAA, 00FB6CFA, 00FB6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FB6B32

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 846ff483419789476961456d71b288c4735b2bacb7022be66704d71c4b3f7517
Instruction ID: 5e164ac4dd0ed7eac35b60079327e359b060e91af559967c66e731b1c9847998
Opcode Fuzzy Hash: 846ff483419789476961456d71b288c4735b2bacb7022be66704d71c4b3f7517
Instruction Fuzzy Hash: 56D14372508301AEC710EBA5CC81EAFB7ECAF88704F44491DF985D7191EB78DA48DB62

Function 00FB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB9663
GetFileAttributesW.KERNEL32(?), ref: 00FB96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FB96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FB96D3
FindClose.KERNEL32(00000000), ref: 00FB96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB974A
SetCurrentDirectoryW.KERNEL32(01006B7C), ref: 00FB9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB9772
FindClose.KERNEL32(00000000), ref: 00FB977F
FindClose.KERNEL32(00000000), ref: 00FB978F

Strings

*.*, xrefs: 00FB96F5

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 25bf066a977c7555f55363a8892e1a6d9094b138794748400d2ca0c188cefd93
Instruction ID: c0f2e86ec883fa6d3f3bd1d02aa6ab7dc2b60662e92e279eb148044081a4bf1c
Opcode Fuzzy Hash: 25bf066a977c7555f55363a8892e1a6d9094b138794748400d2ca0c188cefd93
Instruction Fuzzy Hash: 6831F37290560E6ADF10AFB6DC48ADE37ED9F49321F104156FA14E21A0EB74DD80EE90

Function 00FB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FB9819
FindClose.KERNEL32(00000000), ref: 00FB9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB9890
SetCurrentDirectoryW.KERNEL32(01006B7C), ref: 00FB98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB98B8
FindClose.KERNEL32(00000000), ref: 00FB98C5
FindClose.KERNEL32(00000000), ref: 00FB98D5

Part of subcall function 00FADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FADB00

Strings

*.*, xrefs: 00FB983B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cfb803f14e0eae9ee31c1589c97767153b83fdd6cc35f31d4ffa6e9b47946ef9
Instruction ID: 4e8dff3b5e878ecf3623d4f0a4a8497e4072ff3bfb03b682b60496daf04638fd
Opcode Fuzzy Hash: cfb803f14e0eae9ee31c1589c97767153b83fdd6cc35f31d4ffa6e9b47946ef9
Instruction Fuzzy Hash: 0531163190961E6ADF10EFB6DC48ADE37BD9F06330F104156EA40A2090DB71D984FE60

Function 00FCBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FCBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FCBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FCC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FCC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCC382
RegCloseKey.ADVAPI32(00000000), ref: 00FCC38F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: bb6f1decc06c19764a605f2ce0328d3922a5674f279d9965ad458fe112d9d14c
Instruction ID: 5bcebc1758a85f1f6628ea146e1ac6648bb01a505e825547273a5fd51507e596
Opcode Fuzzy Hash: bb6f1decc06c19764a605f2ce0328d3922a5674f279d9965ad458fe112d9d14c
Instruction Fuzzy Hash: 13024C71A042419FC714DF28C996F2ABBE5EF89314F18849DF84ACB2A2D731EC45DB91

Function 00FB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FB8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8395

Strings

*.*, xrefs: 00FB839B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: dc595dff80e206278da91dad34872aa990ebc7bf34d748c804f13e62211e5b23
Instruction ID: 9bd7004b6893e97eb639502d92a419f90d826473ca4a6701a6d2f26cefbec090
Opcode Fuzzy Hash: dc595dff80e206278da91dad34872aa990ebc7bf34d748c804f13e62211e5b23
Instruction Fuzzy Hash: 296167B25083059FCB10EF65C8409AEB7E8FF89320F08491AF98987251DB35E906DF92

Function 00FAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FAD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FAD1DD
MoveFileW.KERNEL32(?,?), ref: 00FAD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD237

Part of subcall function 00FAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FAD21C,?,?), ref: 00FAD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FAD253
FindClose.KERNEL32(00000000), ref: 00FAD264

Strings

\*.*, xrefs: 00FAD0CD, 00FAD0D6, 00FAD0EB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 965f5fb81477e3736ab14eb59d190f936f93d86e09c54c8bda034a3e68bf115d
Instruction ID: b31e56658223a38aaac3e23508519ec34072f557cb7300a6e76187c2132ffb8e
Opcode Fuzzy Hash: 965f5fb81477e3736ab14eb59d190f936f93d86e09c54c8bda034a3e68bf115d
Instruction Fuzzy Hash: 69615D71D0510D9BDF05EBE0DD92AEDBBB9AF56300F604165E80277192EB386F09EB60

Function 00FBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FBED91
EmptyClipboard.USER32 ref: 00FBED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FBEDAC
CloseClipboard.USER32 ref: 00FBEEA3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3596c4e29aaf47167dd5bc1e259ef5e97201e4383b6335cdcc69c17eabc3cdc1
Instruction ID: 40193bc2964b72c1744794234b57473d6acf274a970c54bc7119644a698f9fc9
Opcode Fuzzy Hash: 3596c4e29aaf47167dd5bc1e259ef5e97201e4383b6335cdcc69c17eabc3cdc1
Instruction Fuzzy Hash: D241C1356052119FD720DF26D888B99BBE5EF44328F15C099E8198B662C776EC41EFD0

Function 00FAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
Part of subcall function 00FA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
Part of subcall function 00FA16C3: GetLastError.KERNEL32 ref: 00FA174A

ExitWindowsEx.USER32(?,00000000), ref: 00FAE932

Strings

@, xrefs: 00FAE925
, xrefs: 00FAE920
SeShutdownPrivilege, xrefs: 00FAE902
, xrefs: 00FAE95C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6278934512c20e9d7c8400a35ed8768dcfbf5048e0c39dcd09bab19e9d634eb4
Instruction ID: 6ff6a82323b0591606ac8b5b5d561c4efb2ddfee549e7e9db37cfae3be8fd591
Opcode Fuzzy Hash: 6278934512c20e9d7c8400a35ed8768dcfbf5048e0c39dcd09bab19e9d634eb4
Instruction Fuzzy Hash: 100126B3A10315ABEB2422B49C8ABFB725CAB1A750F154422F803E21D1D5A45C40B1E0

Function 00FC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC1276
WSAGetLastError.WSOCK32 ref: 00FC1283
bind.WSOCK32(00000000,?,00000010), ref: 00FC12BA
WSAGetLastError.WSOCK32 ref: 00FC12C5
closesocket.WSOCK32(00000000), ref: 00FC12F4
listen.WSOCK32(00000000,00000005), ref: 00FC1303
WSAGetLastError.WSOCK32 ref: 00FC130D
closesocket.WSOCK32(00000000), ref: 00FC133C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8a2e1621df447c5a7efda7ae0c3d434501e8a86e717b3a5eeed7b3972d16af67
Instruction ID: daa350d1f3128300559925c35263bcdd7d66a78254645b22fefee8b53471278a
Opcode Fuzzy Hash: 8a2e1621df447c5a7efda7ae0c3d434501e8a86e717b3a5eeed7b3972d16af67
Instruction Fuzzy Hash: D1417C35A001429FD710DF24C589F69BBE6BF46328F18818DD8568B297C775EC81EBE0

Function 00FAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FAD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD481
FindClose.KERNEL32(00000000), ref: 00FAD498
FindClose.KERNEL32(00000000), ref: 00FAD4A1

Strings

\*.*, xrefs: 00FAD3F2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c7d1ea2c485fc811462495b01506ad0081b6fd3dd82c0ea903d09d840c65968a
Instruction ID: 20e1658e565eecf4286c2447bb75f519073014b5d5b885b64a7a36af25e7c456
Opcode Fuzzy Hash: c7d1ea2c485fc811462495b01506ad0081b6fd3dd82c0ea903d09d840c65968a
Instruction Fuzzy Hash: FC3182714093459FC304EF64CC558AF7BA8BE96314F444A1EF8D293191EB34AA09E763

Function 00F7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F7E645

Strings

1#SNAN, xrefs: 00F7F844
1#INF, xrefs: 00F7F852
1#QNAN, xrefs: 00F7F84B
1#IND, xrefs: 00F7F83D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d4537d0d633daa650a0dc1dfab0001d48e2bdd75738e43a73bc924b1d29f8657
Instruction ID: f40b1c63028938ea46f501c1731770d91b3e505e2b9f7a641f2a2cdec57f1456
Opcode Fuzzy Hash: d4537d0d633daa650a0dc1dfab0001d48e2bdd75738e43a73bc924b1d29f8657
Instruction Fuzzy Hash: 02C23C72E046288FDB25CE28DD407EAB7B5EB48314F1481EBD44DE7241E778AE859F42

Function 00FB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB64DC
CoInitialize.OLE32(00000000), ref: 00FB6639
CoCreateInstance.OLE32(00FDFCF8,00000000,00000001,00FDFB68,?), ref: 00FB6650
CoUninitialize.OLE32 ref: 00FB68D4

Strings

.lnk, xrefs: 00FB64BA, 00FB6524, 00FB65E0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 297ff9b6a344fdfde9140660ccd758f618e6050ad449fc344083b6fea423ebf6
Instruction ID: 08b59f40eb1f6a9342a90aa583bd9a01418017403c88420e2419a2ae5f471630
Opcode Fuzzy Hash: 297ff9b6a344fdfde9140660ccd758f618e6050ad449fc344083b6fea423ebf6
Instruction Fuzzy Hash: 6CD159716083019FC314EF24C881DABBBE9FF98314F04495DF9958B291EB75E909DBA2

Function 00FC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FC22E8

Part of subcall function 00FBE4EC: GetWindowRect.USER32(?,?), ref: 00FBE504

GetDesktopWindow.USER32 ref: 00FC2312
GetWindowRect.USER32(00000000), ref: 00FC2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FC2355
GetCursorPos.USER32(?), ref: 00FC2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC23DF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9261b934665549b5a6fb55d214b96306ed23747917888783ec3a9052e30d7cca
Instruction ID: 09f44b722e46b851df4ac6dd1626d6db638ce41dc6a519becf913ded47561e10
Opcode Fuzzy Hash: 9261b934665549b5a6fb55d214b96306ed23747917888783ec3a9052e30d7cca
Instruction Fuzzy Hash: D131CF72505356ABD720DF24D945F9BB7AAFF88710F00091EF98597181DB34E908DBD2

Function 00FB9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FB9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FB9C8B

Part of subcall function 00FB3874: GetInputState.USER32 ref: 00FB38CB
Part of subcall function 00FB3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FB9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FB9C75

Strings

*.*, xrefs: 00FB9B5D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9bdbdb8ae596c48511f0c87141162dc1d236c8e7bd7c4a1b6ccd77867672f95b
Instruction ID: 30f0a8b69ec66311472a1fab987b66d99a44d8a84e5ab2a9e1d5b7f42543e48f
Opcode Fuzzy Hash: 9bdbdb8ae596c48511f0c87141162dc1d236c8e7bd7c4a1b6ccd77867672f95b
Instruction Fuzzy Hash: 834190B1D4820A9FDF15DFA5CC89AEE7BB4EF05310F244156E905A3191EB709E84EFA0

Function 00FAAA57 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FAAAAC
SetKeyboardState.USER32(00000080), ref: 00FAAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FAAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FAAB88

Strings

______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{, xrefs: 00FAAAEA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: ______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{
API String ID: 432972143-4086604533
Opcode ID: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction ID: 41756b710a2d7356afabc1d54492871a08de446b7cc924c377a5ed1c9233020f
Opcode Fuzzy Hash: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction Fuzzy Hash: BB311AB0E40608AEFF35CA64CC05BFA77A6AB86360F04421AF185561D1D3759989F7B2

Function 00F48060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F85DF0
VUUU, xrefs: 00F4843C
VUUU, xrefs: 00F483FA
ERCP, xrefs: 00F4813C
VUUU, xrefs: 00F483E8
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00F85D0F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: 5aaa1223934b942201cc0ccb1665b933f901dc26dcb8785921e1d1541d7ec52b
Instruction ID: 6daa629baf8fbf93f876cce0b23cc16d5fe115b08f8171d248b470334ffca4f9
Opcode Fuzzy Hash: 5aaa1223934b942201cc0ccb1665b933f901dc26dcb8785921e1d1541d7ec52b
Instruction Fuzzy Hash: 5AA28E71E0021ACBDF24DF58C8407EDBBB1BB54764F2481AAEC15A7285DB749D82EF90

Function 00F5997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F59A4E
GetSysColor.USER32(0000000F), ref: 00F59B23
SetBkColor.GDI32(?,00000000), ref: 00F59B36

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 5c386285bfed581e2898e2ae11a084cc97e904c5b15f88a737a89f2dd3adc3ea
Instruction ID: 0b08629f22fa59571016fd55c8a3023b12f9fca622be15d018913f5c83b68109
Opcode Fuzzy Hash: 5c386285bfed581e2898e2ae11a084cc97e904c5b15f88a737a89f2dd3adc3ea
Instruction Fuzzy Hash: 1EA1197151C744FEFB2CAA7C8C48F7B365EDB82361B15410AFA02C6685CAAD9D05F272

Function 00FC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
Part of subcall function 00FC304E: _wcslen.LIBCMT ref: 00FC309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FC185D
WSAGetLastError.WSOCK32 ref: 00FC1884
bind.WSOCK32(00000000,?,00000010), ref: 00FC18DB
WSAGetLastError.WSOCK32 ref: 00FC18E6
closesocket.WSOCK32(00000000), ref: 00FC1915

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c682bd50a6f9469f2c8b350de7ab2c614db8407429a6858632d72173a1866439
Instruction ID: fde5966b2d28d07d4861ddeff21ba05bcc0c48d413bef30d3feed1048a03bd14
Opcode Fuzzy Hash: c682bd50a6f9469f2c8b350de7ab2c614db8407429a6858632d72173a1866439
Instruction Fuzzy Hash: B2518171A00211AFEB10AF24C986F2A7BA5AB45718F18849CF9059F3D3C775AD41EBE1

Function 00FD1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FD1CC0
IsWindowEnabled.USER32 ref: 00FD1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FD1CDB
IsIconic.USER32 ref: 00FD1CE9
IsZoomed.USER32 ref: 00FD1CF7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6d09dfbbce7c5b44cae8366bfe5c848511d02087ec51fd9fe169beb98f58de9a
Instruction ID: 5521d93adf3751b9ce9215e9a498fd210d148f6ae5f527ba9dfce90a6c9529fe
Opcode Fuzzy Hash: 6d09dfbbce7c5b44cae8366bfe5c848511d02087ec51fd9fe169beb98f58de9a
Instruction Fuzzy Hash: 1121D631B512116FD7208F2AC844B5A7BA7FF95325B1C805AE8498B351D775DC42EBD0

Function 00F7BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7BB7F

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

GetTimeZoneInformation.KERNEL32 ref: 00F7BB91
WideCharToMultiByte.KERNEL32(00000000,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BC09
WideCharToMultiByte.KERNEL32(00000000,?,01011270,000000FF,?,0000003F,?,?,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BC36

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: b87ef63287073376496b6c3464a5f4da48ab1ed76182a6a47dbb7e3cc3c49681
Instruction ID: 10f798023ca0e3c5a3e86caa5c4e0d3665de138da3f81b28d4fb7b55c589ae1a
Opcode Fuzzy Hash: b87ef63287073376496b6c3464a5f4da48ab1ed76182a6a47dbb7e3cc3c49681
Instruction Fuzzy Hash: F13102B0904205EFCB15DF78CC80AA9BBB8BF46320714C25BE158D72A5C7398950EB51

Function 00FBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FBCE89
GetLastError.KERNEL32(?,00000000), ref: 00FBCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FBCEFE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 2b51e4ad3b0fcce00da3b00b01239013ae3d2ceccdb8b6558fbd87fa719fb3d6
Instruction ID: e09e7feab59316deee4337c779c3bfd9f4a2bfd373bb131461281677af17b4dc
Opcode Fuzzy Hash: 2b51e4ad3b0fcce00da3b00b01239013ae3d2ceccdb8b6558fbd87fa719fb3d6
Instruction Fuzzy Hash: 4C218C72900306DBEB209FA6C948BA777F9EB40364F10441EE54692151E774EE04EFA0

Function 00FA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FA82AA

Strings

|, xrefs: 00FA82DA
(, xrefs: 00FA82F0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b84cc8a2f0175d9598bab17a8b74b3f0b9934d307432c3220a014bd67d426311
Instruction ID: 7dd17ecf8fcd2f30ccbec763b492a0ec5f3afd9d0fb97f5eb6621466c3ec9d1c
Opcode Fuzzy Hash: b84cc8a2f0175d9598bab17a8b74b3f0b9934d307432c3220a014bd67d426311
Instruction Fuzzy Hash: 023239B5A007059FCB28CF59C481A6AB7F0FF48760B15C46EE59ADB3A1DB70E942DB40

Function 00FB5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FB5D17
FindClose.KERNEL32(?), ref: 00FB5D5F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2dedf5285a065fcbb94e66e916e6b4f3f359dad5e07dc14fb568db6aa24f9690
Instruction ID: 53bb98198d9826e26a2a89cc0cffc2eef9fa5aef2722245bfe7e799c20dd015c
Opcode Fuzzy Hash: 2dedf5285a065fcbb94e66e916e6b4f3f359dad5e07dc14fb568db6aa24f9690
Instruction Fuzzy Hash: 5151AC75A046019FC714CF29C894A96BBE4FF49324F14865EE95A8B3A1CB38FC04DF91

Function 00F72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F7271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F72724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F72731

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0269df50c724162d9634ac2e85825538ced3a55ff28d5066dd7c3052b211015d
Instruction ID: d557474a8f0ababc1bad7bd56337e4381fcc03b85c43c750d6248af23d784b51
Opcode Fuzzy Hash: 0269df50c724162d9634ac2e85825538ced3a55ff28d5066dd7c3052b211015d
Instruction Fuzzy Hash: 5F31D67491121D9BCB61DF68DD897DDB7B8AF08310F5042EAE80CA7260EB349F819F45

Function 00FB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FB5238
SetErrorMode.KERNEL32(00000000), ref: 00FB52A1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 11f6fb6e7c857eb113955dd421e8711a9b6377346dc28841d0133cf121979eac
Instruction ID: 02c50371978433a608797f0c6542e3b8bbd289e650903207baa1499297d07c92
Opcode Fuzzy Hash: 11f6fb6e7c857eb113955dd421e8711a9b6377346dc28841d0133cf121979eac
Instruction Fuzzy Hash: 51317C75A00518DFDB00DF54D884FADBBB5FF09314F088099E805AB352CB36E846DBA0

Function 00FA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F60668
Part of subcall function 00F5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F60685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
GetLastError.KERNEL32 ref: 00FA174A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a705ddc5fe131a42e85444df40501448699a9105eb29ab2d2596ce4d970d78cd
Instruction ID: ba2b8130859990fc70a5da95dcd93f55d891baeff35cfd81d9edbfb7dfdefc83
Opcode Fuzzy Hash: a705ddc5fe131a42e85444df40501448699a9105eb29ab2d2596ce4d970d78cd
Instruction Fuzzy Hash: F511C1B2400309AFD718AF64DC86D6AB7B9FB04714B20852EE45697241EB70BC45DA60

Function 00FAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FAD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD650

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2225a04efee65ea55c7ee4bf1e41b359c6ab32aaf7fd2884c208ae1a5a1cb7c5
Instruction ID: 7d15e0cb9ccf236903c1cb6021a7424f38cdc5114a6eccacdd9af03ed9ab13e9
Opcode Fuzzy Hash: 2225a04efee65ea55c7ee4bf1e41b359c6ab32aaf7fd2884c208ae1a5a1cb7c5
Instruction Fuzzy Hash: 6D115EB5E05228BFDB148FA5DC45FAFBBBCEB45B60F108116F904E7290D6704A059BE1

Function 00FA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FA168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA16A1
FreeSid.ADVAPI32(?), ref: 00FA16B1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction ID: 4bf4bc4a3ee01a89163b1c446fbf4fe3817277173117f5e4a97e9130175a18ae
Opcode Fuzzy Hash: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction Fuzzy Hash: F7F0F47195130DFBDF00DFF4DC89AAEBBBDFB08604F504565E501E2181E774AA449A90

Function 00F9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F9D28C

Strings

X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abed5275599aed51fa071810defca0ccaa72da5ac9d515060fa45dffed2f597a
Instruction ID: 3fd17cedadc2b06706f481e676a68f7f29369852089b067919fb5b163196cee3
Opcode Fuzzy Hash: abed5275599aed51fa071810defca0ccaa72da5ac9d515060fa45dffed2f597a
Instruction Fuzzy Hash: 73D0C9B580211DEACF94CBA0DC88ED9B37CBB04305F100152F506E2080D7309548AF10

Function 00F6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: abf4073c518ba1c84133384ff04df814f311dc34ce11972c530a07b0dff34383
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FC022D72E001199FDF14CFA9C8806ADFBF5FF88324F25816AD999E7380D731A9419B94

Function 00FB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB6918
FindClose.KERNEL32(00000000), ref: 00FB6961

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9ef4e14190d10a0a846095e8184cd9f92641525c07d54d36f690b43b663cb8f
Instruction ID: befa94237c2f264a636cd2575c5a96665cb6e8fdcffd5589665034d6a15db092
Opcode Fuzzy Hash: d9ef4e14190d10a0a846095e8184cd9f92641525c07d54d36f690b43b663cb8f
Instruction Fuzzy Hash: 041190316042119FD710DF2AD884A16BBE5FF85329F15C699E8698F2A2C738EC05DBD1

Function 00FB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FC4891,?,?,00000035,?), ref: 00FB37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FC4891,?,?,00000035,?), ref: 00FB37F4

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0c77fe42fcde2448f658061f3e7f7284d781ab6e8ea5ae6090acc4675e844de6
Instruction ID: c7d86c9dc65b75ed70ad98823039da29674b25c1488758ce9b24e30c2b69eac2
Opcode Fuzzy Hash: 0c77fe42fcde2448f658061f3e7f7284d781ab6e8ea5ae6090acc4675e844de6
Instruction Fuzzy Hash: 0AF0E5B17092296AE72027769C4DFEB3BAEEFC4761F000265F609D2281D9609904DBF0

Function 00FAB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FAB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00FAB270

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 398435667267332a048c44aa794a78b6816b1f4d1d775d09be57484b17b6ace2
Instruction ID: 530a17f08dd291f258de93e523723026530628951be628ce3859903b5c540e73
Opcode Fuzzy Hash: 398435667267332a048c44aa794a78b6816b1f4d1d775d09be57484b17b6ace2
Instruction Fuzzy Hash: DBF01D7180424EABDB069FA0C805BAE7BB4FF05315F04804AF955A5192C7798611EF94

Function 00FA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA11FC), ref: 00FA10D4
CloseHandle.KERNEL32(?,?,00FA11FC), ref: 00FA10E9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f7c371df7355cf7545b5ff2fc7995c223ebb20314b59dd5cc8af27c7363bdef8
Instruction ID: 3ea1a7225aecd00df13ae9d69812800c7a7847aa6759c98265fe66d4c3eb8f7a
Opcode Fuzzy Hash: f7c371df7355cf7545b5ff2fc7995c223ebb20314b59dd5cc8af27c7363bdef8
Instruction Fuzzy Hash: E6E04F72004601AFF7252B21FC0AE7377A9EB04321F10C82EF9A5804B1DB626C94EB50

Function 00F4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F90C40

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9700bdf4b1bda1bb9e5e10c351a7583a7284a25b140fe0d67d67eb37957f385f
Instruction ID: e2d6e17c6332c67d978555350251b2da914b1d1a623beeae9d6173fc8092eaaa
Opcode Fuzzy Hash: 9700bdf4b1bda1bb9e5e10c351a7583a7284a25b140fe0d67d67eb37957f385f
Instruction Fuzzy Hash: 72327A31D012189FDF54DF90C881BEDBBB5BF04314F144069ED06AB292DB79AD49EBA0

Function 00F7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F76766,?,?,00000008,?,?,00F7FEFE,00000000), ref: 00F76998

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ffd5b0825d773fa6e3270aa50f86ec3a2534cc6a4db1e0b39a208297a737deb1
Instruction ID: d34bc9b159fac71a4f5ae17488eeaf609080fb51a8ebffb7eec3cd99318aa17f
Opcode Fuzzy Hash: ffd5b0825d773fa6e3270aa50f86ec3a2534cc6a4db1e0b39a208297a737deb1
Instruction Fuzzy Hash: 09B16C32910A099FE719CF28C486B647BE0FF05364F25C659E89DCF2A2C335D981DB42

Function 00F5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F9851F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1864421e8475ad7342196ae53f90bdeaf69f7274af674a901f406cdf39f34467
Instruction ID: 035a61c4a92031711345cffef0ec4b95196ccd5b05ebacc62109771640581aa2
Opcode Fuzzy Hash: 1864421e8475ad7342196ae53f90bdeaf69f7274af674a901f406cdf39f34467
Instruction Fuzzy Hash: B0125E71D002299FDF24CF58C880BEEB7B5FF49710F14819AE949EB251DB349A85EB90

Function 00FBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FBEABD

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4f2d8e85002a7e924e5ee43c54c885cd436fbaf07ea67347a6aca121e7d28989
Instruction ID: 8bee117701ceda8367172932e1cc78d2198f1c1d689b11d2a088636b249e08c2
Opcode Fuzzy Hash: 4f2d8e85002a7e924e5ee43c54c885cd436fbaf07ea67347a6aca121e7d28989
Instruction Fuzzy Hash: 84E01A362002049FC710EF6AD804E9AFBEDAF98770F008416FC49C7391DA79E8409BA0

Function 00F609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F603EE), ref: 00F609DA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a1f12c76b4cd68f641d2d7abf4382a0436668a178710b914040c0cae4fd5df5
Instruction ID: 38d93aa7c6aeac3614379149b45d7dcff72c2a61be35375626c74b50ed1de43c
Opcode Fuzzy Hash: 5a1f12c76b4cd68f641d2d7abf4382a0436668a178710b914040c0cae4fd5df5
Instruction Fuzzy Hash:

Function 00F6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F6798B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4d1fe8a426a956e419b4484b43236329c35b9639704d4fff12655f909ac802e6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0E515972E0C7455BDB38B57888597BF63D59B0236CF280A09E882D7283C619EE46F356

Function 00F76DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5784f6ec91df2fba9dd9c1837b690c850555ccdd35f180109f1a7d08625170
Instruction ID: 35ee97987510e1f095c71b603cbb4a60ba1bf0dc3f4bfdfa52e8b829dfa1a4ba
Opcode Fuzzy Hash: ac5784f6ec91df2fba9dd9c1837b690c850555ccdd35f180109f1a7d08625170
Instruction Fuzzy Hash: 9E326422D39F454DD723A634CC62335A68DAFB73D4F15C337E81AB99A6EB28C4836101

Function 00F5CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302652e6670c68fd62b0fd7071bcb7e70f431243234a87cba26f06a7aef4475f
Instruction ID: d851841d2349186f697a3daafe5de120331ea49a0201cb3cf66adb521c458819
Opcode Fuzzy Hash: 302652e6670c68fd62b0fd7071bcb7e70f431243234a87cba26f06a7aef4475f
Instruction Fuzzy Hash: 69323D32E002858FEF25CF29C49467D7BA1EB45321F288566DA5ACB291D334DD85FBC1

Function 00F47920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbad690405eaf4731cca22fc1e6601759d6bb3e12d10fe358d59496c26d8689
Instruction ID: 113ed3f97f5e675553514884049b95d0e0cc66dae6a1e79723edb632ce0d393f
Opcode Fuzzy Hash: cdbad690405eaf4731cca22fc1e6601759d6bb3e12d10fe358d59496c26d8689
Instruction Fuzzy Hash: 0F22C271E04609DFDF14EF64C881AEEB7B6FF44710F144529E812AB291EB3A9D14EB50

Function 00F491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb997fa10497d58f0d4735bc9201cc5fb4b6a4cdc8fab31191e5ab1df58e4e7
Instruction ID: d91565cf09acc40bd2d8467f8e56b8dcbf10ed626a2f2141bb2122581dbdc0fd
Opcode Fuzzy Hash: 9cb997fa10497d58f0d4735bc9201cc5fb4b6a4cdc8fab31191e5ab1df58e4e7
Instruction Fuzzy Hash: F002C6B1E00205EFDB05EF54D881AAEBBB5FF44310F108169E816DB391EB75AE14EB91

Function 00F79EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588d4c0630e9b6b910d3ba2ff209b128a0fef488509de7de8f7abb0dfc0edb97
Instruction ID: fb3bda80359159adca2c6abb8290f5228755129e54e1e172445ebc7d61b6481c
Opcode Fuzzy Hash: 588d4c0630e9b6b910d3ba2ff209b128a0fef488509de7de8f7abb0dfc0edb97
Instruction Fuzzy Hash: 1EB12620D2AF844DD32396398879336B65C6FBB2C5F52D31BFC1679D22EB2285835141

Function 00F61C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8425a342cf981425ecaefe6de93ca6b5a585b6fb1602eaf7cd17d19a4ba1ed21
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 67915673A080E34ADB6D463A857417EFFE16A523B131E079ED4F2CA1C5EE14D954F620

Function 00F61F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 523f021434f0bddef1aec6ff73e09b365c87abee873957312a1b2a435ae799e5
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1E915473A0D4A34ADBAD463A857413EFFE15A923B131E079DD4F2CB1C5EE248564F620

Function 00F619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b54c0c27d69e95290fcd188addb88afea45a9e01bc383b926557cdc64a12fd80
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: E49132736090E34ADB6D467A857407EFFE16A923B231E079ED4F2CA1C1FE248564F620

Function 00F67A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4445ef52029c93c674666bc4c600799db6f2ed63728809be77b16c9ae3a77c1
Instruction ID: 9bf714c67e65a4267d06d142b95732bc02c86cf06563e64fa09c744ec4f5e070
Opcode Fuzzy Hash: f4445ef52029c93c674666bc4c600799db6f2ed63728809be77b16c9ae3a77c1
Instruction Fuzzy Hash: 4861AB31A0C30956DE34BA688DA1BBF3394DF8176CF240A1DE843CB296DA199E43F315

Function 00F67CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc885294b574d4343999cfdbffcf5ab41ff237e0203b8e0c453df08b5a349f0
Instruction ID: a93918f2eedc94e7c9fbcc5eb3d79c855a46613746ece3d6f921f5752f429b5b
Opcode Fuzzy Hash: 9cc885294b574d4343999cfdbffcf5ab41ff237e0203b8e0c453df08b5a349f0
Instruction Fuzzy Hash: 7861AC31E0870962DF38BA288D51BBF3394DF5276CF100E59E943CB281EA17AD46B311

Function 00F61706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: adeeb1eb19df6d11e6dad7abafabbf5a441b80c1f63d266529912abc1f3e15f0
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CA814373A090A349DB6D863A857443EFFE17A923B131E079DD4F2CB1C1EE249554F620

Function 00FB2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732ffd4d66af5fcaf2e4ad9c126725daa7aa301b73b7f0eb01c6e434090f309b
Instruction ID: 0da3feebc631b0d9bb73c4cca38c97ce2e508649ef7b254a4220d3fcc99df9ca
Opcode Fuzzy Hash: 732ffd4d66af5fcaf2e4ad9c126725daa7aa301b73b7f0eb01c6e434090f309b
Instruction Fuzzy Hash: 2721A8326205158BD728CE79C8126BE73D5A754320F258A2EE4A7C37C4DE3EA904DB40

Function 00FC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2B30
DeleteObject.GDI32(00000000), ref: 00FC2B43
DestroyWindow.USER32 ref: 00FC2B52
GetDesktopWindow.USER32 ref: 00FC2B6D
GetWindowRect.USER32(00000000), ref: 00FC2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FC2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FC2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CF8
GetClientRect.USER32(00000000,?), ref: 00FC2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FC2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D80
GlobalLock.KERNEL32(00000000), ref: 00FC2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D98
GlobalUnlock.KERNEL32(00000000), ref: 00FC2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2DA8
GlobalFree.KERNEL32(00000000), ref: 00FC2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC38,00000000), ref: 00FC2DDB
GlobalFree.KERNEL32(00000000), ref: 00FC2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FC2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FC2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC303F

Strings

static, xrefs: 00FC2D3A, 00FC2E91
DISPLAY, xrefs: 00FC2EA2
, xrefs: 00FC2FC5
AutoIt v3, xrefs: 00FC2CF2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c23b3598d079c2d31df000f3085e5b3f74bfb7267795b5839b1bb52bf09b9b5d
Instruction ID: 9623a7a7a28271c07d85ba889e90b82067882769dac80d46e15aa785cdd8a415
Opcode Fuzzy Hash: c23b3598d079c2d31df000f3085e5b3f74bfb7267795b5839b1bb52bf09b9b5d
Instruction Fuzzy Hash: 57027E7190021AAFDB14DF64CD89FAE7BBAEF48310F048519F915AB2A5C774ED01DBA0

Function 00FD70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FD712F
GetSysColorBrush.USER32(0000000F), ref: 00FD7160
GetSysColor.USER32(0000000F), ref: 00FD716C
SetBkColor.GDI32(?,000000FF), ref: 00FD7186
SelectObject.GDI32(?,?), ref: 00FD7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD71C0
GetSysColor.USER32(00000010), ref: 00FD71C8
CreateSolidBrush.GDI32(00000000), ref: 00FD71CF
FrameRect.USER32(?,?,00000000), ref: 00FD71DE
DeleteObject.GDI32(00000000), ref: 00FD71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FD7230
FillRect.USER32(?,?,?), ref: 00FD7262
GetWindowLongW.USER32(?,000000F0), ref: 00FD7284

Part of subcall function 00FD73E8: GetSysColor.USER32(00000012), ref: 00FD7421
Part of subcall function 00FD73E8: SetTextColor.GDI32(?,?), ref: 00FD7425
Part of subcall function 00FD73E8: GetSysColorBrush.USER32(0000000F), ref: 00FD743B
Part of subcall function 00FD73E8: GetSysColor.USER32(0000000F), ref: 00FD7446
Part of subcall function 00FD73E8: GetSysColor.USER32(00000011), ref: 00FD7463
Part of subcall function 00FD73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7471
Part of subcall function 00FD73E8: SelectObject.GDI32(?,00000000), ref: 00FD7482
Part of subcall function 00FD73E8: SetBkColor.GDI32(?,00000000), ref: 00FD748B
Part of subcall function 00FD73E8: SelectObject.GDI32(?,?), ref: 00FD7498
Part of subcall function 00FD73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FD74B7
Part of subcall function 00FD73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD74CE
Part of subcall function 00FD73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FD74DB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dc4b77fdcf71d07c1ebbf9f2326c761b93f8c6c21b7493c74c9f4a64df26f54f
Instruction ID: 4036bce6629f342a18ddfe7454029ffea24289baedaea5795b299723a14ae290
Opcode Fuzzy Hash: dc4b77fdcf71d07c1ebbf9f2326c761b93f8c6c21b7493c74c9f4a64df26f54f
Instruction Fuzzy Hash: E8A1B372409316AFDB00AF60DC48B5BBBAAFF49321F140B1AF962961E1D731D944EB91

Function 00F58D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F58E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F96AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F96AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F96F43

Part of subcall function 00F58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58BE8,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58FC5

SendMessageW.USER32(?,00001053), ref: 00F96F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F96F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F96FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F96FB7

Strings

0, xrefs: 00F96DCF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f908c670a9a51435c9f87e8ac14fb8f968862ef9dfa8a9d13ff2ec4857e23a59
Instruction ID: a51c767b47d925a38c94fee76191353dc66b0dae3241515034ba1b1f209dbf6c
Opcode Fuzzy Hash: f908c670a9a51435c9f87e8ac14fb8f968862ef9dfa8a9d13ff2ec4857e23a59
Instruction Fuzzy Hash: 8112D030A01202EFEB25DF24D845BA9BBF2FB44321F144069F695DB251CB36EC56EB91

Function 00FC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FC273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FC286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FC28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FC28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FC2900
GetClientRect.USER32(00000000,?), ref: 00FC290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FC2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FC2964
GetStockObject.GDI32(00000011), ref: 00FC2974
SelectObject.GDI32(00000000,00000000), ref: 00FC2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FC2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC2991
DeleteDC.GDI32(00000000), ref: 00FC299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FC29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FC29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FC2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FC2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FC2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FC2A77
GetStockObject.GDI32(00000011), ref: 00FC2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FC2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FC2A97

Strings

msctls_progress32, xrefs: 00FC2A13
static, xrefs: 00FC294F, 00FC2A71
DISPLAY, xrefs: 00FC295A
AutoIt v3, xrefs: 00FC28F8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 14d7f90c013ccff68eea0c07d478a94078035cb57458922a4468e9d474eb1004
Instruction ID: a6b9527c23f6b9f38767b4fb13aeaa7505d63b2718d5fb6683c6f4d35b60ffd5
Opcode Fuzzy Hash: 14d7f90c013ccff68eea0c07d478a94078035cb57458922a4468e9d474eb1004
Instruction Fuzzy Hash: AAB13CB1A4021AAFEB14DF78CD86FAE7BA9EB04710F008519FA15E7294D774E940DB90

Function 00FB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4AED
GetDriveTypeW.KERNEL32(?,00FDCB68,?,\\.\,00FDCC08), ref: 00FB4BCA
SetErrorMode.KERNEL32(00000000,00FDCB68,?,\\.\,00FDCC08), ref: 00FB4D36

Strings

PhysicalDrive, xrefs: 00FB4B76
Network, xrefs: 00FB4C02
SCSI, xrefs: 00FB4C8A
ATA, xrefs: 00FB4C98
MMC, xrefs: 00FB4CDE
RAID, xrefs: 00FB4CBB
Virtual, xrefs: 00FB4CE5
Unknown, xrefs: 00FB4BED, 00FB4C83
SSD, xrefs: 00FB4C4A
RAMDisk, xrefs: 00FB4BF4
Fibre, xrefs: 00FB4CAD
USB, xrefs: 00FB4CB4
iSCSI, xrefs: 00FB4CC2
SAS, xrefs: 00FB4CC9
\\.\, xrefs: 00FB4B3F
ATAPI, xrefs: 00FB4C91
FileBackedVirtual, xrefs: 00FB4CEC
SATA, xrefs: 00FB4CD0
Fixed, xrefs: 00FB4C09
CDROM, xrefs: 00FB4BFB
1394, xrefs: 00FB4C9F
SSA, xrefs: 00FB4CA6
Removable, xrefs: 00FB4C10, 00FB4C15

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ccfe13167009c3d6b71010475decc4fbad426cdafc35e74fc32cc3a7663e62c7
Instruction ID: e3da23c4b208bec1be4111bf76dc7b1bc74c528f25111e131f65d927fb43609a
Opcode Fuzzy Hash: ccfe13167009c3d6b71010475decc4fbad426cdafc35e74fc32cc3a7663e62c7
Instruction Fuzzy Hash: 1561E771A051069BDB05EF16CB81EF97BA2AB44700F24401AF8069B293CB36FD45FF41

Function 00FD73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FD7421
SetTextColor.GDI32(?,?), ref: 00FD7425
GetSysColorBrush.USER32(0000000F), ref: 00FD743B
GetSysColor.USER32(0000000F), ref: 00FD7446
CreateSolidBrush.GDI32(?), ref: 00FD744B
GetSysColor.USER32(00000011), ref: 00FD7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7471
SelectObject.GDI32(?,00000000), ref: 00FD7482
SetBkColor.GDI32(?,00000000), ref: 00FD748B
SelectObject.GDI32(?,?), ref: 00FD7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FD7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FD7572
DrawFocusRect.USER32(?,?), ref: 00FD757D
GetSysColor.USER32(00000011), ref: 00FD758E
SetTextColor.GDI32(?,00000000), ref: 00FD7596
DrawTextW.USER32(?,00FD70F5,000000FF,?,00000000), ref: 00FD75A8
SelectObject.GDI32(?,?), ref: 00FD75BF
DeleteObject.GDI32(?), ref: 00FD75CA
SelectObject.GDI32(?,?), ref: 00FD75D0
DeleteObject.GDI32(?), ref: 00FD75D5
SetTextColor.GDI32(?,?), ref: 00FD75DB
SetBkColor.GDI32(?,?), ref: 00FD75E5

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 71763371a0a59198a6035f71f8158299aca4fe24c49a1bbbec7a10fc40062390
Instruction ID: 09bbac6236aeee89d01a7701bcd78450e55d2afccb081bbedcaeb7116c9017ad
Opcode Fuzzy Hash: 71763371a0a59198a6035f71f8158299aca4fe24c49a1bbbec7a10fc40062390
Instruction Fuzzy Hash: 50616F72D01219AFDF019FA4DC49FEEBFBAEB09320F144116F915AB2A1D7749940EB90

Function 00FD0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD1128
GetDesktopWindow.USER32 ref: 00FD113D
GetWindowRect.USER32(00000000), ref: 00FD1144
GetWindowLongW.USER32(?,000000F0), ref: 00FD1199
DestroyWindow.USER32(?), ref: 00FD11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FD1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FD1245
IsWindowVisible.USER32(00000000), ref: 00FD12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FD12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FD12D0
GetWindowRect.USER32(00000000,?), ref: 00FD12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FD130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FD1328
CopyRect.USER32(?,?), ref: 00FD133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FD13AA

Strings

(, xrefs: 00FD131B
tooltips_class32, xrefs: 00FD11E6
0, xrefs: 00FD10D3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7ab433fd3aec6f2495f1272033ec620e7fca34493bf51fc3a60fa030a5204f60
Instruction ID: 9cedeb8e07e55d920b438d3462ff0d6f22e4bb56a4e5e9a2e432dff96f3bc4ef
Opcode Fuzzy Hash: 7ab433fd3aec6f2495f1272033ec620e7fca34493bf51fc3a60fa030a5204f60
Instruction Fuzzy Hash: DBB17C71608341AFD714DF64C884B6BBBE6FF88350F04891AF9999B2A1C771E844EB91

Function 00F58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F58968
GetSystemMetrics.USER32(00000007), ref: 00F58970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5899B
GetSystemMetrics.USER32(00000008), ref: 00F589A3
GetSystemMetrics.USER32(00000004), ref: 00F589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F58A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F58A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F58A5A
GetStockObject.GDI32(00000011), ref: 00F58A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F58A81

Part of subcall function 00F5912D: GetCursorPos.USER32(?), ref: 00F59141
Part of subcall function 00F5912D: ScreenToClient.USER32(00000000,?), ref: 00F5915E
Part of subcall function 00F5912D: GetAsyncKeyState.USER32(00000001), ref: 00F59183
Part of subcall function 00F5912D: GetAsyncKeyState.USER32(00000002), ref: 00F5919D

SetTimer.USER32(00000000,00000000,00000028,00F590FC), ref: 00F58AA8

Strings

AutoIt v3 GUI, xrefs: 00F58A20

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7f218bf6922c2efa86d8667743ee204c4f640acbcdc30d5448c529186786c103
Instruction ID: 6d992ddc2036f885d63f163ff7ae53edf5e9e9def37b7ca54e366c935329964c
Opcode Fuzzy Hash: 7f218bf6922c2efa86d8667743ee204c4f640acbcdc30d5448c529186786c103
Instruction Fuzzy Hash: FCB17D31A0020AAFDF14DFA8DC45BAE3BB5FB48325F14421AFA15E7290DB78E841DB51

Function 00FA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
Part of subcall function 00FA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
Part of subcall function 00FA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
Part of subcall function 00FA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0E29
GetLengthSid.ADVAPI32(?), ref: 00FA0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0E96
GetLengthSid.ADVAPI32(?), ref: 00FA0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FA0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0EDD
CopySid.ADVAPI32(00000000), ref: 00FA0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F6E
HeapFree.KERNEL32(00000000), ref: 00FA0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F7E
HeapFree.KERNEL32(00000000), ref: 00FA0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F8E
HeapFree.KERNEL32(00000000), ref: 00FA0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0FA1
HeapFree.KERNEL32(00000000), ref: 00FA0FA8

Part of subcall function 00FA1193: GetProcessHeap.KERNEL32(00000008,00FA0BB1,?,00000000,?,00FA0BB1,?), ref: 00FA11A1
Part of subcall function 00FA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0BB1,?), ref: 00FA11A8
Part of subcall function 00FA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0BB1,?), ref: 00FA11B7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction ID: 8c3aeffc624a90c54507eb04978e38b986cebee6cee5e7e9605c06c9b872d15b
Opcode Fuzzy Hash: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction Fuzzy Hash: 9D714EB190121AEFDF209FA5EC48BAEBBB9FF05311F044116F919F6191DB319905EBA0

Function 00FCC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FDCC08,00000000,?,00000000,?,?), ref: 00FCC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FCC5A4
_wcslen.LIBCMT ref: 00FCC5F4
_wcslen.LIBCMT ref: 00FCC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FCC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FCC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FCC84D
RegCloseKey.ADVAPI32(?), ref: 00FCC881
RegCloseKey.ADVAPI32(00000000), ref: 00FCC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FCC960

Strings

REG_QWORD, xrefs: 00FCC8C3
REG_BINARY, xrefs: 00FCC913
REG_EXPAND_SZ, xrefs: 00FCC5CD
REG_MULTI_SZ, xrefs: 00FCC6F5
REG_DWORD, xrefs: 00FCC804
REG_SZ, xrefs: 00FCC644

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a6f503de96ce88835c276c7a0d0785c0a84baaf8ae302d7b67634e05fe6ccced
Instruction ID: 6c346a2ed7c92c6efd575a08bbe7815941f911a0750b50e6c1067f30b7380bce
Opcode Fuzzy Hash: a6f503de96ce88835c276c7a0d0785c0a84baaf8ae302d7b67634e05fe6ccced
Instruction Fuzzy Hash: 911249356042019FD714DF14C991F2ABBE5EF88724F08885DF88A9B3A2DB35ED41EB81

Function 00FD091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FD09C6
_wcslen.LIBCMT ref: 00FD0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD0A54
_wcslen.LIBCMT ref: 00FD0A8A
_wcslen.LIBCMT ref: 00FD0B06
_wcslen.LIBCMT ref: 00FD0B81

Part of subcall function 00F5F9F2: _wcslen.LIBCMT ref: 00F5F9FD

Part of subcall function 00FA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA2BFA

Strings

GETTEXT, xrefs: 00FD0C97
EXISTS, xrefs: 00FD0B7C, 00FD0B97
SELECT, xrefs: 00FD0D11
ISCHECKED, xrefs: 00FD0CE1
EXPAND, xrefs: 00FD0BF8
GETITEMCOUNT, xrefs: 00FD0C1E
UNCHECK, xrefs: 00FD0D3E
GETTOTALCOUNT, xrefs: 00FD09F2, 00FD0A17
CHECK, xrefs: 00FD0A85, 00FD0AA0
GETSELECTED, xrefs: 00FD0C4E
COLLAPSE, xrefs: 00FD0B01, 00FD0B1C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: cb166bdb62258821f4bcd3ac91ff28a753a9b500f880bd67905f8560b0cc6527
Instruction ID: 5befd6e3c2f292770cb198d4d5bc01066bfb8cde3692ef1f763c418e8ddb8fc8
Opcode Fuzzy Hash: cb166bdb62258821f4bcd3ac91ff28a753a9b500f880bd67905f8560b0cc6527
Instruction Fuzzy Hash: 02E193316087019FC714EF24C850A2AB7E2FF99324F18495EF8959B3A2DB35ED45EB81

Function 00FCC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
_wcslen.LIBCMT ref: 00FCC9F1
_wcslen.LIBCMT ref: 00FCCA68
_wcslen.LIBCMT ref: 00FCCA9E
_wcslen.LIBCMT ref: 00FCCAF9
_wcslen.LIBCMT ref: 00FCCB2F
_wcslen.LIBCMT ref: 00FCCB7F

Strings

HKCR, xrefs: 00FCCB29, 00FCCB2E
HKEY_USERS, xrefs: 00FCCBDF
HKEY_LOCAL_MACHINE, xrefs: 00FCCA62, 00FCCA67
HKEY_CLASSES_ROOT, xrefs: 00FCCAF3, 00FCCAF8
HKCU, xrefs: 00FCCBCE
HKLM, xrefs: 00FCCA98, 00FCCA9D
HKEY_CURRENT_USER, xrefs: 00FCCBBD
HKEY_CURRENT_CONFIG, xrefs: 00FCCB79, 00FCCB7E
HKCC, xrefs: 00FCCBAC
HKU, xrefs: 00FCCBF0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 48427b2af887e5f02e007cab9233f651281e4ae0a026c789989f160d52b5ba40
Instruction ID: 1f66dde7f2529e975288837b675d2e0d5b08b2aa4350fa2edea6234ef294293d
Opcode Fuzzy Hash: 48427b2af887e5f02e007cab9233f651281e4ae0a026c789989f160d52b5ba40
Instruction Fuzzy Hash: 7471C632E0056B8BCB10DE78CE52BBA3391ABA5764F15051CEC9E97284E639DD45B3D0

Function 00FD833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD835A
_wcslen.LIBCMT ref: 00FD836E
_wcslen.LIBCMT ref: 00FD8391
_wcslen.LIBCMT ref: 00FD83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FD83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00FD361A,?), ref: 00FD844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FD84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8501
FreeLibrary.KERNEL32(?), ref: 00FD850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FD851D
DestroyIcon.USER32(?), ref: 00FD852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FD8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FD8555

Strings

.dll, xrefs: 00FD83AB
.exe, xrefs: 00FD8388
.icl, xrefs: 00FD8368

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e81f8148d733bc902d8668e06a2e0ef96138ce00e5e100a96d49c7072e172ed0
Instruction ID: fba0583b906ac45ca437f516907d67bc6548e1bcedb5b77f6fde34561ea0cc9f
Opcode Fuzzy Hash: e81f8148d733bc902d8668e06a2e0ef96138ce00e5e100a96d49c7072e172ed0
Instruction Fuzzy Hash: 93610171900209BAEB14DF74DC41BBF77A9BF08B60F14460AF815DA2D0DF78A941E7A0

Function 00F47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 00F477FF
#pragma compile, xrefs: 00F477D3
Cannot parse #include, xrefs: 00F85279
#ce, xrefs: 00F478ED
#comments-start, xrefs: 00F4785F, 00F478B1
#cs, xrefs: 00F47873, 00F478C5
Bad directive syntax error, xrefs: 00F8519A
#comments-end, xrefs: 00F478D9
#notrayicon, xrefs: 00F477E7
#include-once, xrefs: 00F4782F
', xrefs: 00F85169
Unterminated group of comments, xrefs: 00F8528C
", xrefs: 00F85153
#OnAutoItStartRegister, xrefs: 00F47817
#include, xrefs: 00F47847

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 050384dd43e3d8fc91bb0d7763342ff945ecebb034955b075112b0ccd6963023
Instruction ID: 6eb5259698f44a189adf168861aa1492555eef2662d34136e695b43b9b939d79
Opcode Fuzzy Hash: 050384dd43e3d8fc91bb0d7763342ff945ecebb034955b075112b0ccd6963023
Instruction Fuzzy Hash: F2812471A04705BBDB21BF60CC42FAE3BA9AF14740F044025FD05AA292EB79DA15F7A1

Function 00FB3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FB3EF8
_wcslen.LIBCMT ref: 00FB3F03
_wcslen.LIBCMT ref: 00FB3F5A
_wcslen.LIBCMT ref: 00FB3F98
GetDriveTypeW.KERNEL32(?), ref: 00FB3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB4087

Strings

set cd door , xrefs: 00FB4028
type cdaudio alias cd wait, xrefs: 00FB4001
closed, xrefs: 00FB3F08, 00FB3F2D, 00FB3F46, 00FB3F7E, 00FB3F97
close, xrefs: 00FB3EFE, 00FB3F18
wait, xrefs: 00FB4044
close cd wait, xrefs: 00FB4072
open, xrefs: 00FB3F54, 00FB3F59
open , xrefs: 00FB3FE5

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 1bf89ff36a87bef551f7ce2dc6c6ebc12b1292755a08aafb42ea18ae34e534e5
Instruction ID: 29c87c256b3ef3725bcdbb13af893af3585bae4626445cb3e5fadfd8ec9f6674
Opcode Fuzzy Hash: 1bf89ff36a87bef551f7ce2dc6c6ebc12b1292755a08aafb42ea18ae34e534e5
Instruction Fuzzy Hash: 7271F232A042129FD310EF25C8808BBBBF5EF94764F00492DF99597252EB35ED45EB91

Function 00FA5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FA5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA5A40
SetWindowTextW.USER32(?,?), ref: 00FA5A57
GetDlgItem.USER32(?,000003EA), ref: 00FA5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FA5A72
GetDlgItem.USER32(?,000003E9), ref: 00FA5A82
SetWindowTextW.USER32(00000000,?), ref: 00FA5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FA5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FA5AC3
GetWindowRect.USER32(?,?), ref: 00FA5ACC
_wcslen.LIBCMT ref: 00FA5B33
SetWindowTextW.USER32(?,?), ref: 00FA5B6F
GetDesktopWindow.USER32 ref: 00FA5B75
GetWindowRect.USER32(00000000), ref: 00FA5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FA5BD3
GetClientRect.USER32(?,?), ref: 00FA5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FA5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FA5C2F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 21554c8d18c759f7b2c1d258b0f73e8db1cec94ea44a25871a6f32ac63067743
Instruction ID: b32e47837e3f818821ba95af37d4034a9e6dd270a3d5ed98887b61829639bced
Opcode Fuzzy Hash: 21554c8d18c759f7b2c1d258b0f73e8db1cec94ea44a25871a6f32ac63067743
Instruction Fuzzy Hash: 00718F71A00B09AFDB20DFB8CD45B6EBBF5FF48B15F104519E146A25A0D774E904EB60

Function 00FBFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FBFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FBFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FBFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FBFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FBFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FBFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FBFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FBFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FBFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FBFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FBFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FBFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FBFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FBFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FBFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FBFECC
GetCursorInfo.USER32(?), ref: 00FBFEDC
GetLastError.KERNEL32 ref: 00FBFF1E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: eedf976e3a01fc21ea0ebe2e33cee4b6aa8cf21fe65052e0f7061ad5e00db620
Instruction ID: 2df9563f2ea97fbf74a8d29aae51da5d1f979417f101c628dc0eb4df9c5ca8d9
Opcode Fuzzy Hash: eedf976e3a01fc21ea0ebe2e33cee4b6aa8cf21fe65052e0f7061ad5e00db620
Instruction Fuzzy Hash: F94174B0D053196ADB109FBA8C8586EBFE8FF04764B50462AE11DEB281DB78D901CE91

Function 00F600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F600C6

Part of subcall function 00F600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0101070C,00000FA0,E601EA9F,?,?,?,?,00F823B3,000000FF), ref: 00F6011C
Part of subcall function 00F600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F823B3,000000FF), ref: 00F60127
Part of subcall function 00F600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F823B3,000000FF), ref: 00F60138
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F6014E
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F6015C
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F6016A
Part of subcall function 00F600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F60195
Part of subcall function 00F600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F601A0

___scrt_fastfail.LIBCMT ref: 00F600E7

Part of subcall function 00F600A3: __onexit.LIBCMT ref: 00F600A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F60122
WakeAllConditionVariable, xrefs: 00F60162
InitializeConditionVariable, xrefs: 00F60148
kernel32.dll, xrefs: 00F60133
SleepConditionVariableCS, xrefs: 00F60154

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a12073891e48b81d96722e64c869ea055b586c248234f96e450b5f9de90233f1
Instruction ID: 71a6752bbac90d8deb5cf712e95aa8642cd8ada91b54fb72b9f3cd62097560d8
Opcode Fuzzy Hash: a12073891e48b81d96722e64c869ea055b586c248234f96e450b5f9de90233f1
Instruction Fuzzy Hash: B921FC32E457156BD7115B74AC06F5B3396EB06B61F24013BF942D7285DF688804FA91

Function 00FA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA318D
_wcslen.LIBCMT ref: 00FA31F8

Strings

REGEXPCLASS, xrefs: 00FA3255, 00FA3266
NAME, xrefs: 00FA3335, 00FA3346
TEXT, xrefs: 00FA347C
CLASS, xrefs: 00FA3188, 00FA31A5
INSTANCE, xrefs: 00FA3453
CLASSNN, xrefs: 00FA31F3, 00FA3204

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5cec1022c602a3caf82a6735461b3d8fb8d3cb9a80cd0fdb28dea68aa1cd14dd
Instruction ID: 96809d440d243925da93c75c5e601ffd9f69e74059aa29fefbed36e4c3f64fff
Opcode Fuzzy Hash: 5cec1022c602a3caf82a6735461b3d8fb8d3cb9a80cd0fdb28dea68aa1cd14dd
Instruction Fuzzy Hash: 76E1E472E006169FCB15DFA8C8517EDFBB4BF16720F548119F856A7240DB30AE85BBA0

Function 00FB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FDCC08), ref: 00FB4527
_wcslen.LIBCMT ref: 00FB453B
_wcslen.LIBCMT ref: 00FB4599
_wcslen.LIBCMT ref: 00FB45F4
_wcslen.LIBCMT ref: 00FB463F
_wcslen.LIBCMT ref: 00FB46A7

Part of subcall function 00F5F9F2: _wcslen.LIBCMT ref: 00F5F9FD

GetDriveTypeW.KERNEL32(?,01006BF0,00000061), ref: 00FB4743

Strings

fixed, xrefs: 00FB4635, 00FB463A
ramdisk, xrefs: 00FB46F1
removable, xrefs: 00FB45EA, 00FB45EF
network, xrefs: 00FB469D, 00FB46A2
cdrom, xrefs: 00FB458F, 00FB4594
all, xrefs: 00FB4531, 00FB4536
unknown, xrefs: 00FB4708

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e0b1bb48bb58ae02f36c567b0c9888878cfc925ca1aece5c786cb68efd699a0d
Instruction ID: adafb6bb8cb0e6315e6605ed1f2a624659cdf4d120f8d708d19b6e2ef1c5e4a8
Opcode Fuzzy Hash: e0b1bb48bb58ae02f36c567b0c9888878cfc925ca1aece5c786cb68efd699a0d
Instruction Fuzzy Hash: 53B1E571A083029FC710EF29C990AAAF7E5BF95720F54491DF496C7292DB34E844EF92

Function 00FC3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FDCC08), ref: 00FC40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FC40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FDCC08), ref: 00FC40F2
FreeLibrary.KERNEL32(00000000,?,00FDCC08), ref: 00FC413E
StringFromGUID2.OLE32(?,?,00000028,?,00FDCC08), ref: 00FC41A8
SysFreeString.OLEAUT32(00000009), ref: 00FC4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FC42C8
SysFreeString.OLEAUT32(?), ref: 00FC42F2

Strings

GetModuleHandleExW, xrefs: 00FC40C7
kernel32.dll, xrefs: 00FC40B6

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 428e8c477a655268a3040bffcac1fa3b2bdb3dfc4010334f2352de701abf4db7
Instruction ID: 9fcd1b21c05394c4bd9e771a856a648f9c71880e03bfde27feb38da824a176e7
Opcode Fuzzy Hash: 428e8c477a655268a3040bffcac1fa3b2bdb3dfc4010334f2352de701abf4db7
Instruction Fuzzy Hash: 9D124971A0010AEFDB14CF94C995FAEBBB5FF85314F248099E9059B251C731ED42EBA0

Function 00F4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01011990), ref: 00F82F8D
GetMenuItemCount.USER32(01011990), ref: 00F8303D
GetCursorPos.USER32(?), ref: 00F83081
SetForegroundWindow.USER32(00000000), ref: 00F8308A
TrackPopupMenuEx.USER32(01011990,00000000,?,00000000,00000000,00000000), ref: 00F8309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F830A9

Strings

0, xrefs: 00F4327D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bb8d567704341299818a0564c00e602f58514d6375b54ca7aeeb6b3a194d2036
Instruction ID: 07d1c90320579f49d987a6053c76fdeb1d9600ccf3def719793e2b7ae85e5d11
Opcode Fuzzy Hash: bb8d567704341299818a0564c00e602f58514d6375b54ca7aeeb6b3a194d2036
Instruction Fuzzy Hash: 74712A71A44206BEEB219F24DC49FDABF69FF05334F244216FA146A1E1C7B1A910FB91

Function 00FD6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00FD6DEB

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FD6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FD6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6E94
DestroyWindow.USER32(?), ref: 00FD6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F40000,00000000), ref: 00FD6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6EFD
GetDesktopWindow.USER32 ref: 00FD6F16
GetWindowRect.USER32(00000000), ref: 00FD6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FD6F4D

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

Strings

0, xrefs: 00FD6D98
tooltips_class32, xrefs: 00FD6E58, 00FD6EDD

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c654104eedd13fafaf85d1849858103b0a6390f309cece86f8c5426f87f3af85
Instruction ID: 76bc65590c9c058f8ecc38fedce5cfa7ed40d6505b937daea32714bb3d1d347e
Opcode Fuzzy Hash: c654104eedd13fafaf85d1849858103b0a6390f309cece86f8c5426f87f3af85
Instruction Fuzzy Hash: 37719770504245AFDB22CF28D844BAABBFAFB88314F08041EF999C7361D775E905EB16

Function 00FD911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DragQueryPoint.SHELL32(?,?), ref: 00FD9147

Part of subcall function 00FD7674: ClientToScreen.USER32(?,?), ref: 00FD769A
Part of subcall function 00FD7674: GetWindowRect.USER32(?,?), ref: 00FD7710
Part of subcall function 00FD7674: PtInRect.USER32(?,?,00FD8B89), ref: 00FD7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FD91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FD91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FD91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FD9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FD923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9277
DragFinish.SHELL32(?), ref: 00FD927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FD9371

Strings

@GUI_DRAGFILE, xrefs: 00FD9320
@GUI_DROPID, xrefs: 00FD929E
@GUI_DRAGID, xrefs: 00FD92E9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4757a17162f35582a0d256113d93f40000806670733b45e6c969a959a13daee8
Instruction ID: c7856a11a156cd5863b5da03ff85173bd471f7d65abdda2444fb1b4d2b15a76d
Opcode Fuzzy Hash: 4757a17162f35582a0d256113d93f40000806670733b45e6c969a959a13daee8
Instruction Fuzzy Hash: C0618C71108301AFD701DFA4DC85DAFBBE9EF89350F00091EF995932A1DB749A49DBA2

Function 00FBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FBC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FBC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FBC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC5F0
InternetCloseHandle.WININET(00000000), ref: 00FBC5FB

Strings

, xrefs: 00FBC575

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99c7bbc9efe30581fdc2d4322803739d541a3c6bf90c8c0853a264500d7e0b97
Instruction ID: 12b706efbad24b07bab771a4654c62465992556f85c1a18c4404c4313b52c878
Opcode Fuzzy Hash: 99c7bbc9efe30581fdc2d4322803739d541a3c6bf90c8c0853a264500d7e0b97
Instruction Fuzzy Hash: 575138B1601209BFDB219F62C988AAB7BBDEF08754F04441AF945D6210DB34EA44EFE0

Function 00FD856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FD8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00FD85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FD85AD
CloseHandle.KERNEL32(00000000), ref: 00FD85BA
GlobalLock.KERNEL32(00000000), ref: 00FD85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FD85D7
GlobalUnlock.KERNEL32(00000000), ref: 00FD85E0
CloseHandle.KERNEL32(00000000), ref: 00FD85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FD85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC38,?), ref: 00FD8611
GlobalFree.KERNEL32(00000000), ref: 00FD8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FD8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FD8671
DeleteObject.GDI32(00000000), ref: 00FD8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FD86AF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cf7ac05f8424684f9e98c72a6f884e107ca685eeccdbcc5d83505f9bc6216578
Instruction ID: b65c06954a56347cf51187eed0fb5b820b13a9282c5472cab8fa4492e5d7aba5
Opcode Fuzzy Hash: cf7ac05f8424684f9e98c72a6f884e107ca685eeccdbcc5d83505f9bc6216578
Instruction Fuzzy Hash: 7A415971601209AFDB108FA5DC48EAE7BBEEF89761F04415AF909E7260DB309D01EB60

Function 00FB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FB1502
VariantCopy.OLEAUT32(?,?), ref: 00FB150B
VariantClear.OLEAUT32(?), ref: 00FB1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FB15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FB1657
VariantInit.OLEAUT32(?), ref: 00FB1708
SysFreeString.OLEAUT32(?), ref: 00FB178C
VariantClear.OLEAUT32(?), ref: 00FB17D8
VariantClear.OLEAUT32(?), ref: 00FB17E7
VariantInit.OLEAUT32(00000000), ref: 00FB1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FB1625
Default, xrefs: 00FB16AF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 643477a729e9e4e513803ffbd2498580783d5f1a151eabaf680846287d8c3248
Instruction ID: 65457f39e183b7d587f8673c25f00617a40f11b646195114005c7d3a2f9148f3
Opcode Fuzzy Hash: 643477a729e9e4e513803ffbd2498580783d5f1a151eabaf680846287d8c3248
Instruction Fuzzy Hash: AED1F132A00115DBDB209F66E8A5BB9B7B5BF45700FA88156F906AB180DB34DC44FFA1

Function 00FCB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FCB80A
RegCloseKey.ADVAPI32(?), ref: 00FCB87E
RegCloseKey.ADVAPI32(?), ref: 00FCB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FCB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCB922
FreeLibrary.KERNEL32(00000000), ref: 00FCB983
RegCloseKey.ADVAPI32(00000000), ref: 00FCB994

Strings

advapi32.dll, xrefs: 00FCB8ED
RegDeleteKeyExW, xrefs: 00FCB8FE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d58d80eed68eed0fca0be01d415f771b65e8d7322e9f8864702e67bc46e00e62
Instruction ID: 0aefd3b14ae4bd308ad13dc9cfe2d6285718f5d0788676cd9e39af6e6ea27bc4
Opcode Fuzzy Hash: d58d80eed68eed0fca0be01d415f771b65e8d7322e9f8864702e67bc46e00e62
Instruction Fuzzy Hash: D7C1A035605202AFD710DF24C996F2ABBE5BF84314F14845CF8998B6A2CB35EC45EB91

Function 00FC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FC25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FC25E8
CreateCompatibleDC.GDI32(?), ref: 00FC25F4
SelectObject.GDI32(00000000,?), ref: 00FC2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FC266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FC26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FC26D0
SelectObject.GDI32(?,?), ref: 00FC26D8
DeleteObject.GDI32(?), ref: 00FC26E1
DeleteDC.GDI32(?), ref: 00FC26E8
ReleaseDC.USER32(00000000,?), ref: 00FC26F3

Strings

(, xrefs: 00FC268D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 28dd37b8e6d72fb077108e7959ff492f554c670aba5e677efc5c7f44c1e60bb8
Instruction ID: 80ce327b93d8e8cbd51ba08d53daacf8b949c29cdd366e2cb54d913d986b8285
Opcode Fuzzy Hash: 28dd37b8e6d72fb077108e7959ff492f554c670aba5e677efc5c7f44c1e60bb8
Instruction Fuzzy Hash: F0610475D0021AEFCF04CFA4C985EAEBBB6FF48310F20851AE955A7250D334A941EFA0

Function 00F7DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F7DAA1

Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D659
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D66B
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D67D
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D68F
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6A1
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6B3
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6C5
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6D7
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6E9
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6FB
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D70D
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D71F
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D731

_free.LIBCMT ref: 00F7DA96

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7DAB8
_free.LIBCMT ref: 00F7DACD
_free.LIBCMT ref: 00F7DAD8
_free.LIBCMT ref: 00F7DAFA
_free.LIBCMT ref: 00F7DB0D
_free.LIBCMT ref: 00F7DB1B
_free.LIBCMT ref: 00F7DB26
_free.LIBCMT ref: 00F7DB5E
_free.LIBCMT ref: 00F7DB65
_free.LIBCMT ref: 00F7DB82
_free.LIBCMT ref: 00F7DB9A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3ccde16ba2bb976d2d0f4f7653f788d97775e7dd5081300635832c449d4071c8
Instruction ID: 6178c4d310323fb467f1f4cca5dddacdafb70a59f35b110da6dbeade2cdb4867
Opcode Fuzzy Hash: 3ccde16ba2bb976d2d0f4f7653f788d97775e7dd5081300635832c449d4071c8
Instruction Fuzzy Hash: 2A313B31A042059FEB61AA39EC45B56B7F9FF40320F95842BE54DD7192DB39AC80A722

Function 00FA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FA369C
_wcslen.LIBCMT ref: 00FA36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FA3797
GetClassNameW.USER32(?,?,00000400), ref: 00FA380C
GetDlgCtrlID.USER32(?), ref: 00FA385D
GetWindowRect.USER32(?,?), ref: 00FA3882
GetParent.USER32(?), ref: 00FA38A0
ScreenToClient.USER32(00000000), ref: 00FA38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FA3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FA395D

Strings

%s%u, xrefs: 00FA3734

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a5f3882e25bfd04c81087b4922266012a3158f648edf0c8010a4878f15b08985
Instruction ID: 2c966ad87ede04e493829fc4b977737697e9fcb9fb0ccdf7db3a3535a322edc3
Opcode Fuzzy Hash: a5f3882e25bfd04c81087b4922266012a3158f648edf0c8010a4878f15b08985
Instruction Fuzzy Hash: 0491F4B1604706AFD708DF24C885FAAF7A9FF49350F008629F999C2190DB34EA45EBD1

Function 00FA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FA4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FA49DA
_wcslen.LIBCMT ref: 00FA49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FA49F7
_wcsstr.LIBVCRUNTIME ref: 00FA4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FA4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FA4B20
GetWindowRect.USER32(?,?), ref: 00FA4B8B

Strings

ThumbnailClass, xrefs: 00FA4A6F, 00FA4AF1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9464746b81ab85030c61b1cde7a6c05cd9ad3e22a1c790ffd9145a7c1d37b12a
Instruction ID: 49a2ec8ff215726ed70dbd938ac401f03801cead4bb5d227f28f39104653c984
Opcode Fuzzy Hash: 9464746b81ab85030c61b1cde7a6c05cd9ad3e22a1c790ffd9145a7c1d37b12a
Instruction Fuzzy Hash: E991D2B15082059FDB04CF14C881BAA77E8FFC5364F04446AFD899A096DBB4FD45EBA1

Function 00FABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01011990,000000FF,00000000,00000030), ref: 00FABFAC
SetMenuItemInfoW.USER32(01011990,00000004,00000000,00000030), ref: 00FABFE1
Sleep.KERNEL32(000001F4), ref: 00FABFF3
GetMenuItemCount.USER32(?), ref: 00FAC039
GetMenuItemID.USER32(?,00000000), ref: 00FAC056
GetMenuItemID.USER32(?,-00000001), ref: 00FAC082
GetMenuItemID.USER32(?,?), ref: 00FAC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FAC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FAC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FAC145

Strings

0, xrefs: 00FABF3D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: c8b54ab4ee17d8fd57bd9844573c2b088d0d07e370001511bfc0adce9b71d245
Instruction ID: 59b0b51f3bd67103888511cacf6df7e185cac46fb39918f3be875aa550b1712d
Opcode Fuzzy Hash: c8b54ab4ee17d8fd57bd9844573c2b088d0d07e370001511bfc0adce9b71d245
Instruction Fuzzy Hash: AF61AEF0A0024AAFDF15CF64DD88AEEBBB9EB06354F044115F951A3292C735AD04EBA0

Function 00FCCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FCCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCD48

Part of subcall function 00FCCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FCCCAA
Part of subcall function 00FCCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FCCCBD
Part of subcall function 00FCCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCCCCF
Part of subcall function 00FCCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCD05
Part of subcall function 00FCCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCCCF3

Strings

advapi32.dll, xrefs: 00FCCCB8
RegDeleteKeyExW, xrefs: 00FCCCC9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 034f0540123a26545bc38101bf905a7b096663434fee818bee2df283a705ea0c
Instruction ID: fb0fda088a37540a26ce6b2fa3d10331e384584ffb919195375cfad21358fa1e
Opcode Fuzzy Hash: 034f0540123a26545bc38101bf905a7b096663434fee818bee2df283a705ea0c
Instruction Fuzzy Hash: F2319272D0112EBBDB20CB61DD89EFFBB7CEF41750F000169E91AE2140DA345A45EAE0

Function 00FB3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB3D40
_wcslen.LIBCMT ref: 00FB3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FB3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FB3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FB3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FB3E55
CloseHandle.KERNEL32(00000000), ref: 00FB3E60
CloseHandle.KERNEL32(00000000), ref: 00FB3E6B

Strings

\, xrefs: 00FB3D77
:, xrefs: 00FB3D82
\??\%s, xrefs: 00FB3D5B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1147d4e1f85c38dfe271e1f144ceee6d0a0d87adb328384173c9ca393ea0a4fe
Instruction ID: 97a7960c4ac2b5f392043b8af9426a127fb08bb1e448fae3403a16605c952238
Opcode Fuzzy Hash: 1147d4e1f85c38dfe271e1f144ceee6d0a0d87adb328384173c9ca393ea0a4fe
Instruction Fuzzy Hash: B131C172A4021AABDB209BA1DC49FEF37BDEF88710F1041A6F605D6060EB749744EB64

Function 00FAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FAE6B4

Part of subcall function 00F5E551: timeGetTime.WINMM(?,?,00FAE6D4), ref: 00F5E555

Sleep.KERNEL32(0000000A), ref: 00FAE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FAE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FAE727
SetActiveWindow.USER32 ref: 00FAE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FAE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FAE773
Sleep.KERNEL32(000000FA), ref: 00FAE77E
IsWindow.USER32 ref: 00FAE78A
EndDialog.USER32(00000000), ref: 00FAE79B

Strings

BUTTON, xrefs: 00FAE719

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 98613e7954eb6fd40fce206064d4d25ad9a74d43fa621ec2f9c57d16939cfa9e
Instruction ID: 6c52ed84ccc7d937132501447612b5c4ff8f5b5c0358d1d0a0e8dbd5600ea730
Opcode Fuzzy Hash: 98613e7954eb6fd40fce206064d4d25ad9a74d43fa621ec2f9c57d16939cfa9e
Instruction Fuzzy Hash: 6721C6F0310209AFEB105F30EC89B253B6AF79A358F100826F555822D5DB7EAC10FB64

Function 00FAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FAEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FAEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FAEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FAEAA7

Strings

status PlayMe mode, xrefs: 00FAEA58
play PlayMe, xrefs: 00FAEAA2
close PlayMe, xrefs: 00FAEA6E, 00FAEA9B
play PlayMe wait, xrefs: 00FAEA91
alias PlayMe, xrefs: 00FAEA36
open , xrefs: 00FAEA0C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 98e8f1f666fea4a2930710cd7dc7de0e3db377a1709599a51cacd66f4b9d2454
Instruction ID: bbdffde3eeaf4d07770c0dc640dd504597192f57d4f2bc603147877cbed451c4
Opcode Fuzzy Hash: 98e8f1f666fea4a2930710cd7dc7de0e3db377a1709599a51cacd66f4b9d2454
Instruction Fuzzy Hash: 3B11A371B9025979E721A7A2DC4AEFF7EBCEBD2B10F0004297801A70D1EEA51915D5B0

Function 00FA9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FAA012
SetKeyboardState.USER32(?), ref: 00FAA07D
GetAsyncKeyState.USER32(000000A0), ref: 00FAA09D
GetKeyState.USER32(000000A0), ref: 00FAA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00FAA0E3
GetKeyState.USER32(000000A1), ref: 00FAA0F4
GetAsyncKeyState.USER32(00000011), ref: 00FAA120
GetKeyState.USER32(00000011), ref: 00FAA12E
GetAsyncKeyState.USER32(00000012), ref: 00FAA157
GetKeyState.USER32(00000012), ref: 00FAA165
GetAsyncKeyState.USER32(0000005B), ref: 00FAA18E
GetKeyState.USER32(0000005B), ref: 00FAA19C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ff42b5fac84eec5d692622173e169aa98252c0844a6654ba81f371238e1433fa
Instruction ID: 0c874ed8e23440f17d3b3fc4f1b8e9fbb56d84a35d76853fe75d43273017a260
Opcode Fuzzy Hash: ff42b5fac84eec5d692622173e169aa98252c0844a6654ba81f371238e1433fa
Instruction Fuzzy Hash: 4851BCA4D0878829FB35DB7088117EABFF55F13390F08859AD5C2571C3DB94AA4CEB62

Function 00FA5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FA5CE2
GetWindowRect.USER32(00000000,?), ref: 00FA5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FA5D59
GetDlgItem.USER32(?,00000002), ref: 00FA5D69
GetWindowRect.USER32(00000000,?), ref: 00FA5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FA5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FA5DDD
GetWindowRect.USER32(00000000,?), ref: 00FA5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FA5E31
GetDlgItem.USER32(?,000003EA), ref: 00FA5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FA5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FA5E67

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e0475adbbb863d3b9968ae00c1bd95cf3c0bc32fb659d0c468488062a0f06b09
Instruction ID: 7029a860c8c8f3b7b1971f914b6db1b178e37330c95c466af8668818612766e1
Opcode Fuzzy Hash: e0475adbbb863d3b9968ae00c1bd95cf3c0bc32fb659d0c468488062a0f06b09
Instruction Fuzzy Hash: 8351FFB1E0060AAFDF18CF68DD89AAEBBB6FB49710F148129F515E7290D7709E04DB50

Function 00F58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58BE8,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58FC5

DestroyWindow.USER32(?), ref: 00F58C81
KillTimer.USER32(00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F96973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000), ref: 00F969D4
DeleteObject.GDI32(00000000), ref: 00F969E6

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3ca60459d90a4214b87b1200e43e11d14d87ce00fd0061d2a8334bd245165966
Instruction ID: ed950e8a9dd0f1ce8939750712c5da587c59a9b192e1e7e84f0e3f7db8a3b37b
Opcode Fuzzy Hash: 3ca60459d90a4214b87b1200e43e11d14d87ce00fd0061d2a8334bd245165966
Instruction Fuzzy Hash: C761AF31902605DFDF359F24D948B2977F2FB403A2F144519EA82A7564CB3AAC86FF90

Function 00F59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

GetSysColor.USER32(0000000F), ref: 00F59862

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f971593333fc2944ed678a671fd82b2dfb9c2655394c887e0dff71968c4a415f
Instruction ID: db0ee78ed7d8b1611565bc40d28b1ba8ce180c90489e85400b8bbfdcddc77b33
Opcode Fuzzy Hash: f971593333fc2944ed678a671fd82b2dfb9c2655394c887e0dff71968c4a415f
Instruction Fuzzy Hash: F941B131509714EFDF245F389C84BB93B66AB06332F584606FAA28B1E1C7719845FB50

Function 00FA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FA9717
LoadStringW.USER32(00000000,?,00F8F7F8,00000001), ref: 00FA9720

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FA9742
LoadStringW.USER32(00000000,?,00F8F7F8,00000001), ref: 00FA9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FA9866

Strings

Line %d (File "%s"):, xrefs: 00FA978F
Error: , xrefs: 00FA981D
Line %d:, xrefs: 00FA97A0
^ ERROR, xrefs: 00FA97FB
%s (%d) : ==> %s: %s %s, xrefs: 00FA984A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f70eb461e2aafc833f09a14fff8290b2b95bc2a0b283cc86e6373d0849c34a72
Instruction ID: db80b2cc22ffc411855af867402b9e4ea3e29aa08584e1a0a9c6bb98d37eb708
Opcode Fuzzy Hash: f70eb461e2aafc833f09a14fff8290b2b95bc2a0b283cc86e6373d0849c34a72
Instruction Fuzzy Hash: 67416072904219AADF04EFE0DD86DEE7779AF55340F500025FA0172092EB796F48EBA1

Function 00FA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FA07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FA07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FA07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FA0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FA082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA083C

Strings

SOFTWARE\Classes\, xrefs: 00FA070E
\CLSID, xrefs: 00FA0724
\IPC$, xrefs: 00FA0784

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d38649ad17d14f0aba3790784580211d0dae176d56380b8796951f4865c67739
Instruction ID: 2712d7459fe3d7683e3f0348c61e3b42cbf6d2fbeb1b72af05dca2b20753211f
Opcode Fuzzy Hash: d38649ad17d14f0aba3790784580211d0dae176d56380b8796951f4865c67739
Instruction Fuzzy Hash: E5410672C10229ABDF11EFA4DC95CEEBB78FF05750F044129E901A7161EB749E04EBA0

Function 00FD3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FD403B
CreateCompatibleDC.GDI32(00000000), ref: 00FD4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FD4055
SelectObject.GDI32(00000000,00000000), ref: 00FD405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FD4068
DeleteDC.GDI32(00000000), ref: 00FD4072
GetWindowLongW.USER32(?,000000EC), ref: 00FD407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FD4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FD409E

Strings

static, xrefs: 00FD3FD3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 4eb5a2d6e8aac935b1fb3fe49ca4247afce971731548b1b4170a01902600cdf9
Instruction ID: 0e643a31f928512f0d4000e0ff390a62dc7b3944fdeed11f7cf4ee38c2756fe2
Opcode Fuzzy Hash: 4eb5a2d6e8aac935b1fb3fe49ca4247afce971731548b1b4170a01902600cdf9
Instruction Fuzzy Hash: E1315C3250121AABDF219FB4DC09FDA3B6AEF0D320F150312FA58E61A0C775D811EBA4

Function 00FC3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC3C5C
CoInitialize.OLE32(00000000), ref: 00FC3C8A
CoUninitialize.OLE32 ref: 00FC3C94
_wcslen.LIBCMT ref: 00FC3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FC3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FC3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FC3F0E
CoGetObject.OLE32(?,00000000,00FDFB98,?), ref: 00FC3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FC3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FC3FC4
VariantClear.OLEAUT32(?), ref: 00FC3FD8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 2859f4797158329da08040b4d96ab0d8688fa383da8ff1db501144e6b0523873
Instruction ID: f86624a90e23be56416858f95840f18f854350364dd0bf61a17a487902a07716
Opcode Fuzzy Hash: 2859f4797158329da08040b4d96ab0d8688fa383da8ff1db501144e6b0523873
Instruction Fuzzy Hash: 49C135716082069FC700DF28C985E2BBBE9FF89794F04891DF98A9B251D730ED05DB92

Function 00FB7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FB7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FB7BA3
CoCreateInstance.OLE32(00FDFD08,00000000,00000001,01006E6C,?), ref: 00FB7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FB7C74
CoTaskMemFree.OLE32(?,?), ref: 00FB7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FB7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FB7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FB7D81
CoTaskMemFree.OLE32(00000000), ref: 00FB7DD6
CoUninitialize.OLE32 ref: 00FB7DDC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5478c49d9dd8f928c257df070e4a33e4f93844578bc3d7355ffd1b54a76b1551
Instruction ID: 1861dda0d98ddc2fce7fc5bf38a5ab2ced50e1922fe88504813fb56c2d19824f
Opcode Fuzzy Hash: 5478c49d9dd8f928c257df070e4a33e4f93844578bc3d7355ffd1b54a76b1551
Instruction Fuzzy Hash: E7C12975A04209AFCB14DFA5C884DAEBBB9FF88314B148499E819DB361D730ED45DF90

Function 00FD541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FD5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD5515
CharNextW.USER32(00000158), ref: 00FD5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FD5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FD559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD55AC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7f1e85748d8dd203355b419bfc451c962d2b76049805c04a515f1ce0ee9c7443
Instruction ID: a3dcdfb2699e5795f0dda4685d4a510c0f3b3a6a0d43f90c457554298c679c06
Opcode Fuzzy Hash: 7f1e85748d8dd203355b419bfc451c962d2b76049805c04a515f1ce0ee9c7443
Instruction Fuzzy Hash: A861A031900609ABDF10DF64CC94EFE7B7AEB06B34F184146F925AB390D7748A80EB61

Function 00F9FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F9FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F9FB08
VariantInit.OLEAUT32(?), ref: 00F9FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F9FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F9FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F9FBA1
VariantClear.OLEAUT32(?), ref: 00F9FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F9FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FBCC
VariantClear.OLEAUT32(?), ref: 00F9FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FBE9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2169c1ba0051255a38fa48b5fe58284139bc83e4885fe0f1d54839fd834fbfcc
Instruction ID: 7065b93e826a34d450bbee8bbe61ccf74524b101d167ef0daf47aa4e2af6bb49
Opcode Fuzzy Hash: 2169c1ba0051255a38fa48b5fe58284139bc83e4885fe0f1d54839fd834fbfcc
Instruction Fuzzy Hash: 28415D35A0021A9FDF00DF68CC549AEBBB9EF48354F008069E956E7261CB34A949DBE0

Function 00FA9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FA9D22
GetKeyState.USER32(000000A0), ref: 00FA9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FA9D57
GetKeyState.USER32(000000A1), ref: 00FA9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FA9D84
GetKeyState.USER32(00000011), ref: 00FA9D96
GetAsyncKeyState.USER32(00000012), ref: 00FA9DAE
GetKeyState.USER32(00000012), ref: 00FA9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FA9DD8
GetKeyState.USER32(0000005B), ref: 00FA9DEA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction ID: 3f901dd73af814d6d8b714eda5d998f57997c90e5cb929f6857beaf979375f40
Opcode Fuzzy Hash: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction Fuzzy Hash: EC41D9B4D0CBCA69FF30877084443B5BEA16F13364F08807ADAC6565C2DBE499C4E7A2

Function 00FC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FC05BC
inet_addr.WSOCK32(?), ref: 00FC061C
gethostbyname.WSOCK32(?), ref: 00FC0628
IcmpCreateFile.IPHLPAPI ref: 00FC0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FC07B9
WSACleanup.WSOCK32 ref: 00FC07BF

Strings

Ping, xrefs: 00FC0676

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ba8618dc7da2ef69caaa839441b9f24f6db484ac1cdb82f3311eb7df7b574105
Instruction ID: 01c13f4a224b58f7a38f762965a693b3c04e9b1f846dc05ee392867ab21af876
Opcode Fuzzy Hash: ba8618dc7da2ef69caaa839441b9f24f6db484ac1cdb82f3311eb7df7b574105
Instruction Fuzzy Hash: F9919035A04202DFD724CF15C98AF16BBE1AF44328F14859DF4698B6A2CB34ED46EF91

Function 00FC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FC8CF3

Part of subcall function 00FA8E54: _wcslen.LIBCMT ref: 00FA8E77

_wcslen.LIBCMT ref: 00FC8D4E
_wcslen.LIBCMT ref: 00FC8D9C
_wcslen.LIBCMT ref: 00FC8DDC
_wcslen.LIBCMT ref: 00FC8E6E

Strings

none, xrefs: 00FC8E65, 00FC8E6A
winapi, xrefs: 00FC8D96, 00FC8D9B
stdcall, xrefs: 00FC8DD6, 00FC8DDB
cdecl, xrefs: 00FC8D48, 00FC8D4D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 01a9a59d88a5803745025a0e6156cb738fb81931e131bdf3ba947feb0fe65e36
Instruction ID: c4b5774fc3f3af3be366fa58632b27dd1a7d4d691bd4a4d599ef4b18b1e41538
Opcode Fuzzy Hash: 01a9a59d88a5803745025a0e6156cb738fb81931e131bdf3ba947feb0fe65e36
Instruction Fuzzy Hash: 7E519331A001179BCB14DFACCA42ABEB7A5BF64360B20421DE856E72C5DF35DD41E790

Function 00FC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FC3774
CoUninitialize.OLE32 ref: 00FC377F
CoCreateInstance.OLE32(?,00000000,00000017,00FDFB78,?), ref: 00FC37D9
IIDFromString.OLE32(?,?), ref: 00FC384C
VariantInit.OLEAUT32(?), ref: 00FC38E4
VariantClear.OLEAUT32(?), ref: 00FC3936

Strings

Failed to create object, xrefs: 00FC37E4, 00FC389A
NULL Pointer assignment, xrefs: 00FC381E
Invalid parameter, xrefs: 00FC3865

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: fb83e756fb871b5750124fe0b0694bc408f82cd8eebe20b82609362d2fb6eab4
Instruction ID: fd7b268381b99dcaf1fb049b818be3fa66eb24c53e5c41fb27533ab566902b0a
Opcode Fuzzy Hash: fb83e756fb871b5750124fe0b0694bc408f82cd8eebe20b82609362d2fb6eab4
Instruction Fuzzy Hash: AA61C571608302AFD311DF64C94AF5ABBE4EF89754F00890DF9859B291C774EE48EB92

Function 00FB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FB33CF

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB33F0

Strings

Line %d (File "%s"):, xrefs: 00FB3443, 00FB345C
Error: , xrefs: 00FB34D1
^ ERROR , xrefs: 00FB349E
Incorrect parameters to object property !, xrefs: 00FB34AB
"%s" (%d) : ==> %s:, xrefs: 00FB3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3504

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: cfaeeac9dfa38a594d4e081a9265f977fe49efb555b29f34b359a7ae1c487a38
Instruction ID: fba0fca98f2c89d290c95d717f2affb69a2f129e331c7e00da124ade1397f4ec
Opcode Fuzzy Hash: cfaeeac9dfa38a594d4e081a9265f977fe49efb555b29f34b359a7ae1c487a38
Instruction Fuzzy Hash: A951C172D4020ABADF15EBA0CD46EEEB779AF04340F144165F90572052EB792F58EF61

Function 00FAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FAB5FC
_wcslen.LIBCMT ref: 00FAB608
_wcslen.LIBCMT ref: 00FAB64D
_wcslen.LIBCMT ref: 00FAB68C
_wcslen.LIBCMT ref: 00FAB6C7

Strings

EXISTS, xrefs: 00FAB686, 00FAB68B
APPEND, xrefs: 00FAB6C1, 00FAB6C6
REMOVE, xrefs: 00FAB602, 00FAB607
KEYS, xrefs: 00FAB647, 00FAB64C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: c528902041e0fe19fbe1c9dd6ae3277e862fa217aea901ddea07d6377428b28e
Instruction ID: 92d5fd329f30918e1a6f91c094d6665faf08fac7bce075c4c958ed7c3f013e79
Opcode Fuzzy Hash: c528902041e0fe19fbe1c9dd6ae3277e862fa217aea901ddea07d6377428b28e
Instruction Fuzzy Hash: E74106B2E000269ACB106F7DCC905BE77A5BF62764B244169E465DB382F735CD81E790

Function 00FB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FB5416
GetLastError.KERNEL32 ref: 00FB5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FB54A7

Strings

READONLY, xrefs: 00FB5452
UNKNOWN, xrefs: 00FB5444
NOTREADY, xrefs: 00FB544B
INVALID, xrefs: 00FB5459
READY, xrefs: 00FB5460, 00FB5468

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6e8ac279b959be84412a886f46685a46b463057196f808566b5fa38e3496f14f
Instruction ID: 2a3a944da9cac5a9ef76136af6b687e24de8115bc07b078925fcfcbf562e72b8
Opcode Fuzzy Hash: 6e8ac279b959be84412a886f46685a46b463057196f808566b5fa38e3496f14f
Instruction Fuzzy Hash: B631CE35E00205DFD701EF69C894BEA7BB5EB04715F148056E801CB292D77ADD86EB90

Function 00FD3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FD3C79
SetMenu.USER32(?,00000000), ref: 00FD3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3D10
IsMenu.USER32(?), ref: 00FD3D24
CreatePopupMenu.USER32 ref: 00FD3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3D5B
DrawMenuBar.USER32 ref: 00FD3D63

Strings

0, xrefs: 00FD3C54
F, xrefs: 00FD3D4E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 86ca901c5bee5ba7f8ee20eaa2730363fa292137ae30ece2c7699f841f21d25e
Instruction ID: cddee81817e129603ebd55d7505b4a031e13b5b200ab2e87b2cb0d151b23007a
Opcode Fuzzy Hash: 86ca901c5bee5ba7f8ee20eaa2730363fa292137ae30ece2c7699f841f21d25e
Instruction Fuzzy Hash: 3A416D75A0120AAFDB14CF64E844B9A7BB7FF49350F18002AFA4697350D735AA10EF91

Function 00FA1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FA1F64
GetDlgCtrlID.USER32 ref: 00FA1F6F
GetParent.USER32 ref: 00FA1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA1F8E
GetDlgCtrlID.USER32(?), ref: 00FA1F97
GetParent.USER32(?), ref: 00FA1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA1FAE

Strings

ComboBox, xrefs: 00FA1EEC
ListBox, xrefs: 00FA1F21

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3d95edeabf77ebebdc70ca4d260c2b95445a546b028e90cd94550146e449d5ed
Instruction ID: 301a4d7013df43821915ac896dacced49a201adb877728219c384cc4ebd8bb78
Opcode Fuzzy Hash: 3d95edeabf77ebebdc70ca4d260c2b95445a546b028e90cd94550146e449d5ed
Instruction Fuzzy Hash: 0121B3B5E00118BFCF05AFA0DC859EEBBB9EF06310F000116B95567291CB789904EBA0

Function 00FA1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FA2043
GetDlgCtrlID.USER32 ref: 00FA204E
GetParent.USER32 ref: 00FA206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA206D
GetDlgCtrlID.USER32(?), ref: 00FA2076
GetParent.USER32(?), ref: 00FA208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA208D

Strings

ComboBox, xrefs: 00FA1FCD
ListBox, xrefs: 00FA2002

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 55855fa575482d9c82e5ddff221c75f0cc06816012d5b1f62dfbe43174f6b924
Instruction ID: 3a509476304706b56282617fe8ee4c9af83a9672b4fd8ec05b603df78198fa7e
Opcode Fuzzy Hash: 55855fa575482d9c82e5ddff221c75f0cc06816012d5b1f62dfbe43174f6b924
Instruction Fuzzy Hash: C721D4B5E00218BBDF10AFB4DC85EEEBFB9EF05310F004006B955A71A1CA799914EBA0

Function 00FD3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FD3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FD3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FD3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FD3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FD3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FD3C13

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c6f5973613c3c23fed6b379f446414f2a2014b7946994ae67cfa02d347c61c23
Instruction ID: be00bcd89114a7e731ee3d4b4e5df2bb75688e0a5393361745498bd149250248
Opcode Fuzzy Hash: c6f5973613c3c23fed6b379f446414f2a2014b7946994ae67cfa02d347c61c23
Instruction Fuzzy Hash: E2619C75900208AFDB20DFA8CC81EEE77F9EB49310F14019AFA15A7391D774AE41EB50

Function 00FAB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FAB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB21D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 70b09318c904df080a6879a4564115dc4d90f0862ec4b5fe2ad1b8c288184834
Instruction ID: b2fa9b8507604cec56ad3bcf94ef80bd76ab847bb953f5068136583539006789
Opcode Fuzzy Hash: 70b09318c904df080a6879a4564115dc4d90f0862ec4b5fe2ad1b8c288184834
Instruction Fuzzy Hash: CB319EB1940209BFDB269F24EC58B6D7BEABF52371F104006FA45DA181D7B99D40EFA0

Function 00F72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F72C94

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F72CA0
_free.LIBCMT ref: 00F72CAB
_free.LIBCMT ref: 00F72CB6
_free.LIBCMT ref: 00F72CC1
_free.LIBCMT ref: 00F72CCC
_free.LIBCMT ref: 00F72CD7
_free.LIBCMT ref: 00F72CE2
_free.LIBCMT ref: 00F72CED
_free.LIBCMT ref: 00F72CFB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 37a81f2724ed51c06a089691264be615224943ce5365d1907c9e6e2f23103b5d
Instruction ID: f47802a6327195482db39c72a1cba42749470821a8f1c96fb39353737b270793
Opcode Fuzzy Hash: 37a81f2724ed51c06a089691264be615224943ce5365d1907c9e6e2f23103b5d
Instruction Fuzzy Hash: 4D119676500108AFCB42EF68DC42CDD7BB5FF05350F4584A6FA4C5B222D635EA90BB91

Function 00FB7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FB7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FB8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB80B0

Strings

*.*, xrefs: 00FB8066

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 04c6a6a5080dc9c30f5f1ba52359439e1399762b8bb826c102034058e7a67639
Instruction ID: d227bf309c0e26faf94eb2bdf1b7264b40bfba6a0641da3d26982daecb89f2d9
Opcode Fuzzy Hash: 04c6a6a5080dc9c30f5f1ba52359439e1399762b8bb826c102034058e7a67639
Instruction Fuzzy Hash: FD819F729083419BCB20FF16C844AAAB7E9BFC4360F14485AF885D7250EB75DD49EF92

Function 00F45BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F45C7A

Part of subcall function 00F45D0A: GetClientRect.USER32(?,?), ref: 00F45D30
Part of subcall function 00F45D0A: GetWindowRect.USER32(?,?), ref: 00F45D71
Part of subcall function 00F45D0A: ScreenToClient.USER32(?,?), ref: 00F45D99

GetDC.USER32 ref: 00F846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F84708
SelectObject.GDI32(00000000,00000000), ref: 00F84716
SelectObject.GDI32(00000000,00000000), ref: 00F8472B
ReleaseDC.USER32(?,00000000), ref: 00F84733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F847C4

Strings

U, xrefs: 00F84693

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8f555e1171d5db462a1dec75113d1824289409e2f3980d91531db88cb240dc23
Instruction ID: dcb856e195d75bb48303e678938286e6aa1d2c234645acea317a13a4f0cd0bc8
Opcode Fuzzy Hash: 8f555e1171d5db462a1dec75113d1824289409e2f3980d91531db88cb240dc23
Instruction Fuzzy Hash: C371C231800206DFCF21AF64C984AFE7BB6FF46364F144266EE555A1A6D335A841FF50

Function 00FB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FB35E4

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

LoadStringW.USER32(01012390,?,00000FFF,?), ref: 00FB360A

Strings

Line %d (File "%s"):, xrefs: 00FB366B
Error: , xrefs: 00FB36EF
^ ERROR, xrefs: 00FB36C9
"%s" (%d) : ==> %s:, xrefs: 00FB3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3724

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d5f8f412856d90b08c7c2590d5db0a503fd3df0341c67dd479d4580cbbffe5b6
Instruction ID: c4e6e6918e72fb9f02fe49d881639faf4c7c745603a5b8cea99e01f418a5a3f8
Opcode Fuzzy Hash: d5f8f412856d90b08c7c2590d5db0a503fd3df0341c67dd479d4580cbbffe5b6
Instruction Fuzzy Hash: 6D519F72D4420ABADF15EBA1CC42EEEBB39AF04300F144125F50572192DB791B98EFA1

Function 00FBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC2CA
GetLastError.KERNEL32 ref: 00FBC322
SetEvent.KERNEL32(?), ref: 00FBC336
InternetCloseHandle.WININET(00000000), ref: 00FBC341

Strings

, xrefs: 00FBC2BB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 982d85d6d502bbf7195a49a3638bb9a868144fbf5b7e8e5d3f843c260777a070
Instruction ID: f9694ad49e6db7425906a8f2c355a7ba02bda7f48843134a8f49f4baefb531a4
Opcode Fuzzy Hash: 982d85d6d502bbf7195a49a3638bb9a868144fbf5b7e8e5d3f843c260777a070
Instruction Fuzzy Hash: 6F317FB1601209AFD7219F668C88AEB7BFDEB49754B58851EF486D3200DB34DD04AFE1

Function 00FA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F83AAF,?,?,Bad directive syntax error,00FDCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FA98BC
LoadStringW.USER32(00000000,?,00F83AAF,?), ref: 00FA98C3

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FA9987

Strings

Line %d (File "%s"):, xrefs: 00FA992D
Error: , xrefs: 00FA9955
Line %d:, xrefs: 00FA9912
%s (%d) : ==> %s.: %s %s, xrefs: 00FA98F1
., xrefs: 00FA996D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ddfeeb15005fbfd98e7e0006e1cdf9ca012f261129232249503d06294ca33e74
Instruction ID: 1005bf0a8c3b5ed5546cd1a4562f1ea3ff17185cbd8b665b846992c72963f488
Opcode Fuzzy Hash: ddfeeb15005fbfd98e7e0006e1cdf9ca012f261129232249503d06294ca33e74
Instruction Fuzzy Hash: 15218232D0421EFBDF15AF90CC0AEEE7B76BF19300F044469FA15650A2DB759668EB50

Function 00FA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FA20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FA20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FA214D

Strings

smallicons, xrefs: 00FA2115
details, xrefs: 00FA20FB
list, xrefs: 00FA212F
SHELLDLL_DefView, xrefs: 00FA20CC
largeicons, xrefs: 00FA20E1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 21efa69a87f14dbb58255dc6cef16a70f57cec54fc6e588a88d39e4be450f1a9
Instruction ID: 7e3659bbd42c1bc2b87eb75fc83506211265a96c8ca0f630e426f2e20ec1b0c3
Opcode Fuzzy Hash: 21efa69a87f14dbb58255dc6cef16a70f57cec54fc6e588a88d39e4be450f1a9
Instruction Fuzzy Hash: 9011A3B6788707B9FA0666299C06DA7379CDF06724F20011AFB44A90E1EA69B8427A54

Function 00F78D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2345a5943047c9869c4c3a7bb7ad84c258737e29b24d7a127e61bc5801c908a
Instruction ID: 20fab4ffc2b8d11818c26a01e2c49793db2816c01c31ab60f8a7d6a052b0b5d7
Opcode Fuzzy Hash: a2345a5943047c9869c4c3a7bb7ad84c258737e29b24d7a127e61bc5801c908a
Instruction Fuzzy Hash: 5DC1F675D082499FCF11DFB8D845BADBBB0AF09320F04815AF558A7392C7798942EB62

Function 00F7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F7CEB7
_free.LIBCMT ref: 00F7CF22
_free.LIBCMT ref: 00F7CF48
_free.LIBCMT ref: 00F7CF71
_free.LIBCMT ref: 00F7CFA9
_free.LIBCMT ref: 00F7CFDA
_free.LIBCMT ref: 00F7D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F7D09C
_free.LIBCMT ref: 00F7D0B5

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f09e7581cc47b5f0d02f9f261e7cfd873246bf9783816d5a542fb200ea109686
Instruction ID: 395c9dd917d2fa76aa6a80975b2edabc8eb88a7e9d7ad8c0b8ec383a4c3d4d25
Opcode Fuzzy Hash: f09e7581cc47b5f0d02f9f261e7cfd873246bf9783816d5a542fb200ea109686
Instruction Fuzzy Hash: 81611971D04200AFDB21AF74AC41AAD7BA5AF05320F44C16FF98D97249D73A9D41B7A3

Function 00FD50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FD5186
ShowWindow.USER32(?,00000000), ref: 00FD51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FD51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FD51D1

Part of subcall function 00FD6FBA: DeleteObject.GDI32(00000000), ref: 00FD6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FD520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FD524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FD5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FD5296

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e00ebf0f51d5692324ab030a144e155b940f4fee12a8e3df8a7f4ff90ff2c2e9
Instruction ID: c69d9f1a2c6be513ab450f05a64ed8037e22529a4c12bfc836c0dcb7acadc0be
Opcode Fuzzy Hash: e00ebf0f51d5692324ab030a144e155b940f4fee12a8e3df8a7f4ff90ff2c2e9
Instruction Fuzzy Hash: 4251A031A41A09BEEF259F24CC45B983B73EB05B62F184113FA24963E0C7799988FB40

Function 00F58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F96890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58874,00000000,00000000,00000000,000000FF,00000000), ref: 00F96901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F9691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58874,00000000,00000000,00000000,000000FF,00000000), ref: 00F9692D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5c6ebcc027ee4493374db04cc9d9751c47c2a9195ea375aac5f6302659c06503
Instruction ID: a6b6ba27addf0d13a1cfb4f5ed1c5f31d059868fb695992d31d27a5723bee47f
Opcode Fuzzy Hash: 5c6ebcc027ee4493374db04cc9d9751c47c2a9195ea375aac5f6302659c06503
Instruction Fuzzy Hash: 26518D70A00209EFEB24CF24CC41FAA7BB6EF84361F104519FA56E7290DB75E955EB40

Function 00FBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC182
GetLastError.KERNEL32 ref: 00FBC195
SetEvent.KERNEL32(?), ref: 00FBC1A9

Part of subcall function 00FBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC272
Part of subcall function 00FBC253: GetLastError.KERNEL32 ref: 00FBC322
Part of subcall function 00FBC253: SetEvent.KERNEL32(?), ref: 00FBC336
Part of subcall function 00FBC253: InternetCloseHandle.WININET(00000000), ref: 00FBC341

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e4f6857a44688318056f5aeb69a32c42adca0dfc935f64f058f4effbc2d96c05
Instruction ID: c3f7a9638f41af100be5948cfec00766f291e19ec5bbfcd2bc2496f588435698
Opcode Fuzzy Hash: e4f6857a44688318056f5aeb69a32c42adca0dfc935f64f058f4effbc2d96c05
Instruction Fuzzy Hash: 64316971601606AFDB219FB69C44AA7BBEAFF58310B00441EF95A87610D730E814FFE0

Function 00FA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FA25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FA25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FA2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FA2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FA2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FA2627

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6504fd856b01d55ce5332bf5ce38ac845f76921defe41eedd446a2306ed28d6b
Instruction ID: 4f7b4f161346c4957d9c5852d8e5891fa8c33af770224c8694001e7637c00694
Opcode Fuzzy Hash: 6504fd856b01d55ce5332bf5ce38ac845f76921defe41eedd446a2306ed28d6b
Instruction Fuzzy Hash: 6301B171790224BBFB1067799C8AF593F5ADB4AB12F100002F318AE1D1C9F26444EAA9

Function 00FA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FA1449,?,?,00000000), ref: 00FA180C
HeapAlloc.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA1449,?,?,00000000), ref: 00FA1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FA1449,?,?,00000000), ref: 00FA1830
DuplicateHandle.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA1449,?,?,00000000), ref: 00FA1843
GetCurrentProcess.KERNEL32(00FA1449,00000000,?,00FA1449,?,?,00000000), ref: 00FA184B
DuplicateHandle.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA184E
CreateThread.KERNEL32(00000000,00000000,00FA1874,00000000,00000000,00000000), ref: 00FA1868

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 921d209ad1966795d7ecc8fd3af911493b92bed01e3e8f26a1fde3fac5f75264
Instruction ID: f7fd301f8c3b4451e10ff7ade3d911c34516b65e865e063ba0ad57e3e5b6cbdd
Opcode Fuzzy Hash: 921d209ad1966795d7ecc8fd3af911493b92bed01e3e8f26a1fde3fac5f75264
Instruction Fuzzy Hash: 9601BBB5281319BFE710ABB5DC4DF6B3BADEB89B11F014411FA05DB1A2CA749800DB60

Function 00FCA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD501
Part of subcall function 00FAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FAD50F
Part of subcall function 00FAD4DC: CloseHandle.KERNELBASE(00000000), ref: 00FAD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA16D
GetLastError.KERNEL32 ref: 00FCA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FCA268
GetLastError.KERNEL32(00000000), ref: 00FCA273
CloseHandle.KERNEL32(00000000), ref: 00FCA2C4

Strings

SeDebugPrivilege, xrefs: 00FCA18F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 94ab16dda5a9ec63635ab1c008e804262279ac7f158479a37f994e1353aab4fc
Instruction ID: 60bcdd0bd67e92ee0cc73086ce9355392d6e99ce09e31e9d8868799fa87befdb
Opcode Fuzzy Hash: 94ab16dda5a9ec63635ab1c008e804262279ac7f158479a37f994e1353aab4fc
Instruction Fuzzy Hash: FD61BE716052429FD320DF14C995F65BBE1AF44328F18848CE8668B7A3C776FC49EB92

Function 00FD3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FD393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD3954
_wcslen.LIBCMT ref: 00FD3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD39F4

Strings

SysListView32, xrefs: 00FD38F7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d683f4f76b5398141a9c6f8bbb20b02f13cd67e5beae3cd9f39de3fea306be26
Instruction ID: 89a3d42714aaa00615ab60ed26cd59c808dc426cbd2dddc5347b7176e1c8ee19
Opcode Fuzzy Hash: d683f4f76b5398141a9c6f8bbb20b02f13cd67e5beae3cd9f39de3fea306be26
Instruction Fuzzy Hash: BC41C671E00219ABEF219F64CC45BEA77AAEF08360F140527FA48E7281D775DD80EB91

Function 00FABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FABCFD
IsMenu.USER32(00000000), ref: 00FABD1D
CreatePopupMenu.USER32 ref: 00FABD53
GetMenuItemCount.USER32(018A5430), ref: 00FABDA4
InsertMenuItemW.USER32(018A5430,?,00000001,00000030), ref: 00FABDCC

Strings

0, xrefs: 00FABCA8
2, xrefs: 00FABD37

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction ID: ed936f71a45d1cfc9ae57ddcbad3637cb3d95faca15d0eb893157d6d24e843e3
Opcode Fuzzy Hash: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction Fuzzy Hash: EB51A1B1A002099BDF10CFB8D888BAEBBF5BF47324F144259E411DB292D774A941EB61

Function 00FAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FAC913

Strings

blank, xrefs: 00FAC895
info, xrefs: 00FAC8B4
question, xrefs: 00FAC8CC
stop, xrefs: 00FAC8E4
warning, xrefs: 00FAC8FC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b2a9e573724f5620ac8fcef19aa1cc92b5c8fff73192df5e261cfebbcf3aba41
Instruction ID: 28435d0aba7afd7fc47085c1f9303d167d14fee81e89386fcb5a96bcee18093b
Opcode Fuzzy Hash: b2a9e573724f5620ac8fcef19aa1cc92b5c8fff73192df5e261cfebbcf3aba41
Instruction Fuzzy Hash: 1411EE76A89306BAE7016B559D82D9F77DCEF1B760B10002FF504A6281E7796D0072E5

Function 00FADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FADE42
gethostname.WSOCK32(?,00000100), ref: 00FADE5C
gethostbyname.WSOCK32(?), ref: 00FADE69
inet_ntoa.WSOCK32(?), ref: 00FADEAB
_strcat.LIBCMT ref: 00FADEB9
WSACleanup.WSOCK32 ref: 00FADEDE

Strings

0.0.0.0, xrefs: 00FADE87

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: e2d9f77b215f8b6904e35326ce72f98146c6be3ad6d5ce5b60185b98a22aa3ff
Instruction ID: 90709a6195d49068372bd80c3e0b2285b8ae8872ce29b59ca4c66c0792e48180
Opcode Fuzzy Hash: e2d9f77b215f8b6904e35326ce72f98146c6be3ad6d5ce5b60185b98a22aa3ff
Instruction Fuzzy Hash: E7110AB1904119AFCB247B30DC4AEDE77ADDF11721F04026AF54696091EF759A81FAA0

Function 00FD9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

GetSystemMetrics.USER32(0000000F), ref: 00FD9FC7
GetSystemMetrics.USER32(0000000F), ref: 00FD9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FDA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FDA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FDA263
ShowWindow.USER32(00000003,00000000), ref: 00FDA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00FDA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FDA2CA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f157e5d82c87ba27d0b5b4e45f2b37fbf3678586be16e8d382bde3a5f452a02a
Instruction ID: 7bc66f4034984d1b8e990377c922094638d918cd6954bb775ea30e82e81d8d25
Opcode Fuzzy Hash: f157e5d82c87ba27d0b5b4e45f2b37fbf3678586be16e8d382bde3a5f452a02a
Instruction Fuzzy Hash: D0B19C31A00219DFDF14CF69C9857AE7BB2FF44711F08806AEC499B399D731A940EB55

Function 00FAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FAED2A
_wcslen.LIBCMT ref: 00FAED3B
_wcslen.LIBCMT ref: 00FAED79
_wcslen.LIBCMT ref: 00FAEDAF
_wcslen.LIBCMT ref: 00FAEDDF
_wcslen.LIBCMT ref: 00FAEDEF
_wcslen.LIBCMT ref: 00FAEE2B
_wcslen.LIBCMT ref: 00FAEE5A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bc35139e0bfab8f8dff3e03d246787007bdeeaf9bca938b4bfb617c0e519a453
Instruction ID: 7b4cdb4f08a025dd51b9b0fb8a4ffb551886ec618a4c6f2809cf66a8c5ed257a
Opcode Fuzzy Hash: bc35139e0bfab8f8dff3e03d246787007bdeeaf9bca938b4bfb617c0e519a453
Instruction Fuzzy Hash: 5341C365D1021875DB11FBF4CC8A9CFB7A8AF46310F508566E518E3121FB38E245E3E5

Function 00F5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F5F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F9F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F9F454

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 680f25ab9ab6bcc49282d2eb8204151cd440913fdba81d7ccb1384d49e04d3ed
Instruction ID: 3f6096d122f64f2d3b826fb4f16e823512948b8f6393d6c53eebd42fde4daae3
Opcode Fuzzy Hash: 680f25ab9ab6bcc49282d2eb8204151cd440913fdba81d7ccb1384d49e04d3ed
Instruction Fuzzy Hash: 2B415231904E40BBDB398B3CCC88B6A7B92AB46372F14417DEB8793560C676948CF751

Function 00FD2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD2D1B
GetDC.USER32(00000000), ref: 00FD2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FD2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FD2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FD5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD2DE1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f2c61da90c215998fa083a56351e8e48d902c448555ed38dc55aed96f9258262
Instruction ID: b19eda3b3fb63a798f8c22967cb26402a47affd7c345e24d4cf63f8aa4244d72
Opcode Fuzzy Hash: f2c61da90c215998fa083a56351e8e48d902c448555ed38dc55aed96f9258262
Instruction Fuzzy Hash: 75317F72202214BFEB114F64CC89FEB3BAAEF19725F084056FE08DA291D6759C51D7A4

Function 00FA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA5637
_memcmp.LIBVCRUNTIME ref: 00FA5659
_memcmp.LIBVCRUNTIME ref: 00FA5671
_memcmp.LIBVCRUNTIME ref: 00FA5684
_memcmp.LIBVCRUNTIME ref: 00FA569E
_memcmp.LIBVCRUNTIME ref: 00FA56B1
_memcmp.LIBVCRUNTIME ref: 00FA56C9
_memcmp.LIBVCRUNTIME ref: 00FA56E4

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ea5c9f3f471ee0c6e99d009d960284c799d834ef2f79d8a52e62c7dda150aef1
Instruction ID: 373a316c0ceba1385c3f0025a36a0a7a8f506270f6282f658eda4b4699216a1f
Opcode Fuzzy Hash: ea5c9f3f471ee0c6e99d009d960284c799d834ef2f79d8a52e62c7dda150aef1
Instruction Fuzzy Hash: E021CCE2A40A0977D61455108E83FFA335DBF22B94F484021FD169A742F725EE14B5A5

Function 00FC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FC5007
NULL Pointer assignment, xrefs: 00FC502E, 00FC5383

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 49354f1c52cac78ff55c48b12739f8e7f798e0e39de6c6eadfe89828bf4f7f7f
Instruction ID: 1b23cefd391ddbaf2d783b79cd14d16356737c7bece80fe91f1dcf1813b00392
Opcode Fuzzy Hash: 49354f1c52cac78ff55c48b12739f8e7f798e0e39de6c6eadfe89828bf4f7f7f
Instruction Fuzzy Hash: 91D1AD71A0060B9FDF10CFA8C982FAEB7B5BF48754F14816DE915AB280D770E985DB90

Function 00F81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F81651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F816FB

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F81777
__freea.LIBCMT ref: 00F817A2
__freea.LIBCMT ref: 00F817AE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0a9acc44b47cb3ca0c3f21339a1cd6efe64ed6243a2f19c84afcd3af54b3705e
Instruction ID: 3107af70521e237b335199f2ebed0c8423196b65e68707e8e51931b2ddb22057
Opcode Fuzzy Hash: 0a9acc44b47cb3ca0c3f21339a1cd6efe64ed6243a2f19c84afcd3af54b3705e
Instruction Fuzzy Hash: 2591A572E002169ADF20AE74CC41AEE7BB9BF49760F184759E805EB141DB35DC46EBA0

Function 00FC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC4648
VariantInit.OLEAUT32(?), ref: 00FC4749
VariantClear.OLEAUT32(?), ref: 00FC4753
VariantClear.OLEAUT32(?), ref: 00FC47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FC472C
Null Object assignment in FOR..IN loop, xrefs: 00FC45D8, 00FC4706, 00FC47BE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f6e41c9287c406336fdf28d2db7e51f702c5ab76b81b2965cffe1c5cc70de7a1
Instruction ID: a42aaa9701301dc79bfe667c649a398c052cd6c555603a4a2e9e57a30d0e9386
Opcode Fuzzy Hash: f6e41c9287c406336fdf28d2db7e51f702c5ab76b81b2965cffe1c5cc70de7a1
Instruction Fuzzy Hash: 4991AE71E0021AABDF20CFA5C955FAEBBB8EF46720F10855DF505AB280D770A945DFA0

Function 00FB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FB125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FB1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FB12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB1430

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 592f2831732fe60753330bc6291833bf6c9f134de03aaa7c507dabb397641be2
Instruction ID: daa8cdf8070e1a7aa3b2e5490d13ce7914ccfc4a2e05af987842bd2d941fe6dd
Opcode Fuzzy Hash: 592f2831732fe60753330bc6291833bf6c9f134de03aaa7c507dabb397641be2
Instruction Fuzzy Hash: B191DF72A00209AFDB00DFA9C8A4BFE77B5FF46321F144129E900E7291D779A941EF90

Function 00F5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b89e3e7a9d1fbd311bb9bd37e93d4489294d14d5564edfe0549015fcae1c350
Instruction ID: c3b876a672df624c89169dfab4c7eac4f57dc1c1e142431c497e7b1d15e04d37
Opcode Fuzzy Hash: 2b89e3e7a9d1fbd311bb9bd37e93d4489294d14d5564edfe0549015fcae1c350
Instruction Fuzzy Hash: F2916871D04219EFCB14CFA9CC88AEEBBB9FF48320F148059E915B7251D378A955EB60

Function 00FC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC396B
CharUpperBuffW.USER32(?,?), ref: 00FC3A7A
_wcslen.LIBCMT ref: 00FC3A8A
VariantClear.OLEAUT32(?), ref: 00FC3C1F

Part of subcall function 00FB0CDF: VariantInit.OLEAUT32(00000000), ref: 00FB0D1F
Part of subcall function 00FB0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FB0D28
Part of subcall function 00FB0CDF: VariantClear.OLEAUT32(?), ref: 00FB0D34

Strings

Incorrect Parameter format, xrefs: 00FC39A6, 00FC3BA1
AUTOIT.ERROR, xrefs: 00FC3A80, 00FC3A85

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: beacd2b3eb056a35f3eb3f39e5d00160ae3f95b77ab4ec2047d6593ce2276438
Instruction ID: 5b311c25e685be7a618e8d3b2885bbc2c191ee59ec88b48377d6c22b79538096
Opcode Fuzzy Hash: beacd2b3eb056a35f3eb3f39e5d00160ae3f95b77ab4ec2047d6593ce2276438
Instruction Fuzzy Hash: D6918D75A083029FC704DF24C981A6ABBE5FF88354F14891DF8899B351DB35EE05DB82

Function 00FC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FA000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?,?,00FA035E), ref: 00FA002B
Part of subcall function 00FA000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0046
Part of subcall function 00FA000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0054
Part of subcall function 00FA000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?), ref: 00FA0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FC4C51
_wcslen.LIBCMT ref: 00FC4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FC4DCF
CoTaskMemFree.OLE32(?), ref: 00FC4DDA

Strings

NULL Pointer assignment, xrefs: 00FC4E23, 00FC4E52

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: e97a76147563ef4d919b3b1786b8d566d86b67b713ddad72bfbdab378160a700
Instruction ID: c474e9b4cf8eb5e7b5e3d97333e234a7ecc4df9defa4b016bb00e35b3b988b58
Opcode Fuzzy Hash: e97a76147563ef4d919b3b1786b8d566d86b67b713ddad72bfbdab378160a700
Instruction Fuzzy Hash: 0F911871D0021A9FDF14DFA4DC91EEEBBB9BF08310F10816AE915A7251DB746A44DF60

Function 00FD20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FD2183
GetMenuItemCount.USER32(00000000), ref: 00FD21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD21DD
_wcslen.LIBCMT ref: 00FD2213
GetMenuItemID.USER32(?,?), ref: 00FD224D
GetSubMenu.USER32(?,?), ref: 00FD225B

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FD22E3

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3c3094fc21656e177412a6a9f80e5d07c402a5b6ad9c6f61581bfa4ea5516bc3
Instruction ID: cc19a3fa19d17cf2121d4db97c968934b48142faddc76608935e728f0b91109e
Opcode Fuzzy Hash: 3c3094fc21656e177412a6a9f80e5d07c402a5b6ad9c6f61581bfa4ea5516bc3
Instruction Fuzzy Hash: 6A718175E00205AFCB50DF64C841AAEBBF2EF58320F18845AE916EB341D739ED41ABD0

Function 00FD7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018A5458), ref: 00FD7F37
IsWindowEnabled.USER32(018A5458), ref: 00FD7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FD801E
SendMessageW.USER32(018A5458,000000B0,?,?), ref: 00FD8051
IsDlgButtonChecked.USER32(?,?), ref: 00FD8089
GetWindowLongW.USER32(018A5458,000000EC), ref: 00FD80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FD80C3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1d644272cb3f7c42519c99e2c48496ac3fccc2c5fb570f5ae97d435de36fc2f1
Instruction ID: f75c56c89c545f68a8dd589bad3b049007f100bda3e9a3d638ac80433808fefc
Opcode Fuzzy Hash: 1d644272cb3f7c42519c99e2c48496ac3fccc2c5fb570f5ae97d435de36fc2f1
Instruction Fuzzy Hash: C871A434908344AFDB35AF64CC84FAABBB7EF09350F18405BE9555B351DB31A845EB90

Function 00FAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FAAEF9
GetKeyboardState.USER32(?), ref: 00FAAF0E
SetKeyboardState.USER32(?), ref: 00FAAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FAAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FAAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FAAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FAB020

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction ID: 4272ff369060d9aeb65f130cc845d532d594360a1840699fb34eb0077de7d081
Opcode Fuzzy Hash: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction Fuzzy Hash: 2A51A1E1A047D63DFB3642348C45BBABEE95B07314F08858AE1E9558C3D3D9A8C8F761

Function 00FAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FAAD19
GetKeyboardState.USER32(?), ref: 00FAAD2E
SetKeyboardState.USER32(?), ref: 00FAAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FAADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FAADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FAAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FAAE38

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction ID: f1df894204a2e403608ab42c2669701d12136e079d5e9c14887c4cc8737b2f30
Opcode Fuzzy Hash: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction Fuzzy Hash: AD51B0E19047D53DFB3782358C95B7ABEA96B47310F088489E1D9468C2D394EC9CF762

Function 00F7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F83CD6,?,?,?,?,?,?,?,?,00F75BA3,?,?,00F83CD6,?,?), ref: 00F75470
__fassign.LIBCMT ref: 00F754EB
__fassign.LIBCMT ref: 00F75506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F83CD6,00000005,00000000,00000000), ref: 00F7552C
WriteFile.KERNEL32(?,00F83CD6,00000000,00F75BA3,00000000,?,?,?,?,?,?,?,?,?,00F75BA3,?), ref: 00F7554B
WriteFile.KERNEL32(?,?,00000001,00F75BA3,00000000,?,?,?,?,?,?,?,?,?,00F75BA3,?), ref: 00F75584

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 92c5e35f77826b3b84d26a1998baff16d437bfda2ea76fbcc9d7cecc402799a3
Instruction ID: c4482a2b28b4ca6f3f5375a9067f4d66890d9e95303a8567a82011269d270756
Opcode Fuzzy Hash: 92c5e35f77826b3b84d26a1998baff16d437bfda2ea76fbcc9d7cecc402799a3
Instruction Fuzzy Hash: CA51C1B1A00649AFDB10CFA8D841AEEBBF9EF08710F18811BF559E7291D7709A41DB61

Function 00F5912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F59141
ScreenToClient.USER32(00000000,?), ref: 00F5915E
GetAsyncKeyState.USER32(00000001), ref: 00F59183
GetAsyncKeyState.USER32(00000002), ref: 00F5919D

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00F97152

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 4210589936-3308908821
Opcode ID: 68d51b8eb7d09b26412839543192ce9f51dccf853639f4277ddb1ace5cd1b1d3
Instruction ID: 8f557bbb5b430c73a3fb2dfd3617e947a21553b16f8cc34fc156cbe9227724ba
Opcode Fuzzy Hash: 68d51b8eb7d09b26412839543192ce9f51dccf853639f4277ddb1ace5cd1b1d3
Instruction Fuzzy Hash: 43417F3190861AEBDF09AF64C844BEEB775FB05331F204216E925A3290C7746D94EB91

Function 00F62D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F62D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F62D53
_ValidateLocalCookies.LIBCMT ref: 00F62DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F62E0C
_ValidateLocalCookies.LIBCMT ref: 00F62E61

Strings

csm, xrefs: 00F62DF6

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cd1124c87c3d2bda4b52fd3cd26aa79e2b9198e791d36e615afa37599edcb829
Instruction ID: 075e4ecf7784bcfe5a89d63a2fab949e91a1632c59b6a97e2380797dbf6759d4
Opcode Fuzzy Hash: cd1124c87c3d2bda4b52fd3cd26aa79e2b9198e791d36e615afa37599edcb829
Instruction Fuzzy Hash: EF41D135E00609ABCF10DF68CC85ADEBBB5BF45324F148165E814AB392DB35EA05EBD1

Function 00FC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
Part of subcall function 00FC304E: _wcslen.LIBCMT ref: 00FC309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC1112
WSAGetLastError.WSOCK32 ref: 00FC1121
WSAGetLastError.WSOCK32 ref: 00FC11C9
closesocket.WSOCK32(00000000), ref: 00FC11F9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8bbd857b75eff679f7773f8e1d2fc53368215a2bbb4d9fb7d0c9826e0dd0fc11
Instruction ID: ea33790f24c1250c29aace521d17171a2c5d7fb2999462af5cfbc16afd536dd5
Opcode Fuzzy Hash: 8bbd857b75eff679f7773f8e1d2fc53368215a2bbb4d9fb7d0c9826e0dd0fc11
Instruction Fuzzy Hash: 9F41E431600206AFDB109F24CD45FA9BBAAFF46324F188059FD159B292C779ED41DBE0

Function 00FACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACF22,?), ref: 00FADDFD

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACF22,?), ref: 00FADE16

lstrcmpiW.KERNEL32(?,?), ref: 00FACF45
MoveFileW.KERNEL32(?,?), ref: 00FACF7F
_wcslen.LIBCMT ref: 00FAD005
_wcslen.LIBCMT ref: 00FAD01B
SHFileOperationW.SHELL32(?), ref: 00FAD061

Strings

\*.*, xrefs: 00FACFF3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ce8b7b015ba2ce6f5760ae4a7ad252b510b2ce63eb56a6e8977b34ef615c1ff7
Instruction ID: 501dd3b8c38f78ee03da4b4addd92fe07e606919efbce402f521e0b33ba187dc
Opcode Fuzzy Hash: ce8b7b015ba2ce6f5760ae4a7ad252b510b2ce63eb56a6e8977b34ef615c1ff7
Instruction Fuzzy Hash: 214136B1D452199FDF12EFA4DD81ADEB7B9AF09380F1000E6E505EB141EB74AB44EB50

Function 00FD2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FD2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00FD2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00FD2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FD2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FD2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00FD2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD2F0B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9daac750774c36afdfd1965f4f6061b26723e6deb60357d4b42440470717358f
Instruction ID: 47871149825b795eabfae01aa585e017a8a941909b04987835b46a1ae2dde876
Opcode Fuzzy Hash: 9daac750774c36afdfd1965f4f6061b26723e6deb60357d4b42440470717358f
Instruction Fuzzy Hash: 37311931A45145AFDB61CF28DC84F6537E2FBA9720F1901A6F6548B2A1CB75E840EB80

Function 00FA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA778F
SysAllocString.OLEAUT32(00000000), ref: 00FA7792
SysAllocString.OLEAUT32(?), ref: 00FA77B0
SysFreeString.OLEAUT32(?), ref: 00FA77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA77DE
SysAllocString.OLEAUT32(?), ref: 00FA77EC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1bf1430377fc5d0d2af519ec7b8f2570b70335165c650a987954c8e825fba5af
Instruction ID: 768ec550e3b1b66cdde8986e94a6998f084ab64c303d47569d007c02690bcbdb
Opcode Fuzzy Hash: 1bf1430377fc5d0d2af519ec7b8f2570b70335165c650a987954c8e825fba5af
Instruction Fuzzy Hash: C621C4B6A05219AFDF10EFB8CC88DBB77ADEB0A3647008126FA04DB150D670DC45E7A0

Function 00FA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7868
SysAllocString.OLEAUT32(00000000), ref: 00FA786B
SysAllocString.OLEAUT32 ref: 00FA788C
SysFreeString.OLEAUT32 ref: 00FA7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA78AF
SysAllocString.OLEAUT32(?), ref: 00FA78BD

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7735a7cc05f54a62f34f6e6f7dbf21ae6f8f8abcfbe4f937ba642dd8cf03bead
Instruction ID: a3bd0e4b90a8d8d265a97c35c956b53b755cd04a3c317045ad9d79930775c4de
Opcode Fuzzy Hash: 7735a7cc05f54a62f34f6e6f7dbf21ae6f8f8abcfbe4f937ba642dd8cf03bead
Instruction Fuzzy Hash: 4621A771A05209AFDB10AFB8DC88DAA77ECEF0A3607108125F915CB1A5D678DC41EB64

Function 00FB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FB04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB052E

Strings

nul, xrefs: 00FB0567

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c03d71286ed03ce42039a15c88b167f8d2fda5a868f8d6ed4e105c5094f7e80b
Instruction ID: 48baa9c34fe8bd2e69ac877f00f1dc36e7cfa7cf4a5c1aa83869196c2be9486a
Opcode Fuzzy Hash: c03d71286ed03ce42039a15c88b167f8d2fda5a868f8d6ed4e105c5094f7e80b
Instruction Fuzzy Hash: 44215CB590030AAFDB309F6ADC44A9B77A4AF45724F244A19E8A1D62E0DB709940EF60

Function 00FB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FB05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB0601

Strings

nul, xrefs: 00FB0639

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 67ea564772a9f22c58c1e61a5177e03d5bde2dcba5e16202001ef7df2852d849
Instruction ID: 4a69a2818b26b0d1e07b0838a826a6505470dbff2020a47e648435a0a44862a9
Opcode Fuzzy Hash: 67ea564772a9f22c58c1e61a5177e03d5bde2dcba5e16202001ef7df2852d849
Instruction Fuzzy Hash: 08213D759002169BDB209F6A9C04ADB77E5AF95730F200A19F8A1E72E0DA709960EF50

Function 00FD40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
Part of subcall function 00F4600E: GetStockObject.GDI32(00000011), ref: 00F46060
Part of subcall function 00F4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FD4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FD411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FD412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FD4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FD4145

Strings

Msctls_Progress32, xrefs: 00FD40E3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3387e54586edc52299f8dfb95a1ea3b9c9df766ed51edb38e5001fa53b8b6cf2
Instruction ID: d0d2e6d2f36494b9d45f76b28c8080571ab60c4761feb8627763686cf1afb60b
Opcode Fuzzy Hash: 3387e54586edc52299f8dfb95a1ea3b9c9df766ed51edb38e5001fa53b8b6cf2
Instruction Fuzzy Hash: CC1193B2150119BFEF118E64CC85EE77F6DEF08798F004111BB58A6190C676AC21DBA4

Function 00F7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F7D7A3: _free.LIBCMT ref: 00F7D7CC

_free.LIBCMT ref: 00F7D82D

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7D838
_free.LIBCMT ref: 00F7D843
_free.LIBCMT ref: 00F7D897
_free.LIBCMT ref: 00F7D8A2
_free.LIBCMT ref: 00F7D8AD
_free.LIBCMT ref: 00F7D8B8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b99d4196b9d28b9dbb1c0da8723bd64cf0c25afdf5a85fcb1f1f813dedecb082
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C8115171540B04AAD529BFB4CC47FCBBBFC6F40700F848826B29DA6092DA69B5467652

Function 00FADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FADA74
LoadStringW.USER32(00000000), ref: 00FADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FADA91
LoadStringW.USER32(00000000), ref: 00FADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FADAB9

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5b6187763159aa399c2d43c655e4f067aff4b099cdad3649cb26edd0c3084a92
Instruction ID: 8988d1d22a54b9af3e4076566d44ff6f306ec0d6ea5738b9f6fe654de6cb7c25
Opcode Fuzzy Hash: 5b6187763159aa399c2d43c655e4f067aff4b099cdad3649cb26edd0c3084a92
Instruction Fuzzy Hash: 460186F290021D7FE711ABB0DD89EEB336DE709701F400596B746E2042EA749E84AFB4

Function 00FB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0189DDD8,0189DDD8), ref: 00FB097B
EnterCriticalSection.KERNEL32(0189DDB8,00000000), ref: 00FB098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FB099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FB09A9
CloseHandle.KERNEL32(?), ref: 00FB09B8
InterlockedExchange.KERNEL32(0189DDD8,000001F6), ref: 00FB09C8
LeaveCriticalSection.KERNEL32(0189DDB8), ref: 00FB09CF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f86a9aa30be4d692d5c69afbdfa9de6b4df4d2b0aa072bd8c0378a697cc7987a
Instruction ID: d3c43d30a9eca053d49f6bbd95be4dc957d4f9430264272cfbea359f33a36cfb
Opcode Fuzzy Hash: f86a9aa30be4d692d5c69afbdfa9de6b4df4d2b0aa072bd8c0378a697cc7987a
Instruction Fuzzy Hash: 43F01D31583517BBD7515BA5EE88BD67B36BF01712F401116F141908A0CB749465EFD0

Function 00F45D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F45D30
GetWindowRect.USER32(?,?), ref: 00F45D71
ScreenToClient.USER32(?,?), ref: 00F45D99
GetClientRect.USER32(?,?), ref: 00F45ED7
GetWindowRect.USER32(?,?), ref: 00F45EF8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a073fac2e3279728813e2ded8e799360b5727ec0a7a137e0d2b4bdab9071ea84
Instruction ID: caf0b8dbf07e53cfebc7014d956eb10fe208fcb51a36f84d091edacc06198077
Opcode Fuzzy Hash: a073fac2e3279728813e2ded8e799360b5727ec0a7a137e0d2b4bdab9071ea84
Instruction Fuzzy Hash: C9B16B35A0074ADBDB10EFA9C4407EEBBF1FF48310F14841AE8A9D7250DB34AA51EB54

Function 00F701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F700D6
__allrem.LIBCMT ref: 00F700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F7010B
__allrem.LIBCMT ref: 00F70122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F70140

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 6ebba3bbe2debc2f84414e517953158fbc3fffbb11ed5080ed64c50b9d79132b
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 60811872A00706DBE724AF28DC41B6B73E9AF45334F24823BF555D7281EBB4D904AB51

Function 00FC1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00FC101C,00000000,?,?,00000000), ref: 00FC3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FC1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC1DE1
WSAGetLastError.WSOCK32 ref: 00FC1DF2
inet_ntoa.WSOCK32(?), ref: 00FC1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00FC1EDB
_strlen.LIBCMT ref: 00FC1F35

Part of subcall function 00FA39E8: _strlen.LIBCMT ref: 00FA39F2

Part of subcall function 00F46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F5CF58,?,?,?), ref: 00F46DBA
Part of subcall function 00F46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F5CF58,?,?,?), ref: 00F46DED

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 57755da78fb6bd1f3fb0bfcd632fe357897f81920f8ac831cde2085caaa156e4
Instruction ID: d4388e851a7029caa7e21254311ce277b33fc5e915ee2e1423602939930f456b
Opcode Fuzzy Hash: 57755da78fb6bd1f3fb0bfcd632fe357897f81920f8ac831cde2085caaa156e4
Instruction Fuzzy Hash: 05A1C131504341AFC314DF24C886F2ABBA5BF86318F54894CF8565B2A3CB75ED46EB92

Function 00F761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F682D9,00F682D9,?,?,?,00F7644F,00000001,00000001,8BE85006), ref: 00F76258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F7644F,00000001,00000001,8BE85006,?,?,?), ref: 00F762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F763D8
__freea.LIBCMT ref: 00F763E5

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

__freea.LIBCMT ref: 00F763EE
__freea.LIBCMT ref: 00F76413

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 862821036aa2d34b6044cf38238b495ba8bac042b079027fc945b2098086329f
Instruction ID: 405ce1b275bae35f5a85371210ee6f26aa2d424b11e430500b2267a6c17726fa
Opcode Fuzzy Hash: 862821036aa2d34b6044cf38238b495ba8bac042b079027fc945b2098086329f
Instruction Fuzzy Hash: 4E51D772A00616ABDF258F64CC81EAF77A9EF44760F15862AFC09D7241DB34DC44E762

Function 00FCBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FCBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FCBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCBDF3
RegCloseKey.ADVAPI32(?), ref: 00FCBDFF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 57d27709d293dc0cef5ac7ed65c2b061e42f8a3dc492f815e30cc2daf3e78cf7
Instruction ID: dc6355bc57eb121432933a528e3e148a49c2cc0531aa53aa8e47309510cdefb8
Opcode Fuzzy Hash: 57d27709d293dc0cef5ac7ed65c2b061e42f8a3dc492f815e30cc2daf3e78cf7
Instruction Fuzzy Hash: 2A81A135608242AFC714DF24C986F2ABBE5FF84318F14455CF55A8B2A2CB31ED05EB92

Function 00F9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F9F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F9F860
VariantCopy.OLEAUT32(00F9FA64,00000000), ref: 00F9F889
VariantClear.OLEAUT32(00F9FA64), ref: 00F9F8AD
VariantCopy.OLEAUT32(00F9FA64,00000000), ref: 00F9F8B1
VariantClear.OLEAUT32(?), ref: 00F9F8BB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d806a1c17e611b66adcec1de6d7cd8e4b7ec691cc0fe07b0f7eb688b9ce49154
Instruction ID: 009cebbb68c15aeb87e7e2a212e83c6a657390364449e0cbbdcc3330e5ae00f6
Opcode Fuzzy Hash: d806a1c17e611b66adcec1de6d7cd8e4b7ec691cc0fe07b0f7eb688b9ce49154
Instruction Fuzzy Hash: 9A510932A00310BAEF60AF65DC95769B3A5EF45320F248467ED05DF291DB74CC48EB96

Function 00FB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FB94E5
_wcslen.LIBCMT ref: 00FB9506
_wcslen.LIBCMT ref: 00FB952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FB9585

Strings

X, xrefs: 00FB9412

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b57546999dece2050cb4b47b4a62fe9511ba7249cc21b71d1ac7686bb7e0cff7
Instruction ID: 424e0410f1619c61d7e9952620d8bf16eb2631970a74fa20a758ef6b7e678dd4
Opcode Fuzzy Hash: b57546999dece2050cb4b47b4a62fe9511ba7249cc21b71d1ac7686bb7e0cff7
Instruction Fuzzy Hash: AFE1B331908340CFD724DF25C881AAAB7E4BF85310F18896DF9899B3A2DB75DD05DB92

Function 00F5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

BeginPaint.USER32(?,?,?), ref: 00F59241
GetWindowRect.USER32(?,?), ref: 00F592A5
ScreenToClient.USER32(?,?), ref: 00F592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F592D3
EndPaint.USER32(?,?,?,?,?), ref: 00F59321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F971EA

Part of subcall function 00F59339: BeginPath.GDI32(00000000), ref: 00F59357

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d1da52f9fa07b22c0c2387973f8ad82f6dd714e30d1eccfd0bbc44911d9b96e1
Instruction ID: 91b8290b866a469db641cbbfc0651786e9a2177eabe681d1c6afdf63219c13d3
Opcode Fuzzy Hash: d1da52f9fa07b22c0c2387973f8ad82f6dd714e30d1eccfd0bbc44911d9b96e1
Instruction Fuzzy Hash: 6D41B031509301EFDB25DF24CC84FBA7BA9EB55321F140229FAA4872E1C7759849EB61

Function 00FB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FB0847
EnterCriticalSection.KERNEL32(?), ref: 00FB0863
LeaveCriticalSection.KERNEL32(?), ref: 00FB08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FB08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB0921

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 14216e1f72c48955ff49dfdc85c66c2fff5966273ff1775c758684397b93c8a0
Instruction ID: 14e9d82fe7b0a95632f50413f406571035f8cc6c865b26b6cabe0ce76e016a53
Opcode Fuzzy Hash: 14216e1f72c48955ff49dfdc85c66c2fff5966273ff1775c758684397b93c8a0
Instruction Fuzzy Hash: A8418B31900206EFDF14AF64DC85AAA77B9FF04310F1040A5ED009A297DB35DE64EBA0

Function 00FD81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F9F3AB,00000000,?,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00FD824C
EnableWindow.USER32(?,00000000), ref: 00FD8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FD82D1
ShowWindow.USER32(?,00000004), ref: 00FD82E5
EnableWindow.USER32(?,00000001), ref: 00FD830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FD832F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3095034d696511d59329f4a38aa6c194ae4b313610f3fdf9e68e57a93f2c76c8
Instruction ID: 7d616440d14ac99cd3ee67abf14ebba8d43fe2c362ad43b01ae16e5f08c9efb8
Opcode Fuzzy Hash: 3095034d696511d59329f4a38aa6c194ae4b313610f3fdf9e68e57a93f2c76c8
Instruction Fuzzy Hash: DB419734A01644AFDB25CF25CC85BE47BF3FB06765F1C4266E6584B362CB369842DB50

Function 00FA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FA4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FA4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FA4CEA
_wcslen.LIBCMT ref: 00FA4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FA4D10
_wcsstr.LIBVCRUNTIME ref: 00FA4D1A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e14fbac4e04ed38d23b90f47bfe77927e197e9804a12d515d0b9d1050d2d9554
Instruction ID: 1c550acc666cb47963c3be968324b1f1e5d488421dc109a73586f78580335bdc
Opcode Fuzzy Hash: e14fbac4e04ed38d23b90f47bfe77927e197e9804a12d515d0b9d1050d2d9554
Instruction Fuzzy Hash: AE216E726041057BEB155B35DC05E3B7B9DDF86720F10403AF809CA191DFA4EC00F2A0

Function 00FB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

_wcslen.LIBCMT ref: 00FB587B
CoInitialize.OLE32(00000000), ref: 00FB5995
CoCreateInstance.OLE32(00FDFCF8,00000000,00000001,00FDFB68,?), ref: 00FB59AE
CoUninitialize.OLE32 ref: 00FB59CC

Strings

.lnk, xrefs: 00FB5876, 00FB58C1, 00FB5985

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e3a14945966cd1402d6eeb01150bd9f1a18478554bfca621ea187894ceb60fac
Instruction ID: e5cd3c7b9ccef7e314b0836d370f0306f8733f41eb3b6b0144637d4bdc0c27a5
Opcode Fuzzy Hash: e3a14945966cd1402d6eeb01150bd9f1a18478554bfca621ea187894ceb60fac
Instruction Fuzzy Hash: D7D16571A047019FC714DF25C880A6ABBE5EF89B20F14885DF8899B361DB39EC45DF92

Function 00FA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0FCA
Part of subcall function 00FA0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0FD6
Part of subcall function 00FA0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0FE5
Part of subcall function 00FA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0FEC
Part of subcall function 00FA0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA1002

GetLengthSid.ADVAPI32(?,00000000,00FA1335), ref: 00FA17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FA17BA
HeapAlloc.KERNEL32(00000000), ref: 00FA17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FA17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FA1335), ref: 00FA17EE
HeapFree.KERNEL32(00000000), ref: 00FA17F5

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction ID: 2a25f914cd1343948ef17cbcea1912430e576209ab350e508ce6561b0c6f1865
Opcode Fuzzy Hash: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction Fuzzy Hash: BE11B1B191121AFFDB109FA4CC49FAF7BA9FB42365F114119F44197151C7359940EBA0

Function 00FA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FA14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FA1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FA1515
CloseHandle.KERNEL32(00000004), ref: 00FA1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FA154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FA1563

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1a907acb1fa98a66dd901838c9a078ea6343356667b135ab082930949d786538
Instruction ID: 769515af82b5d86e7d25286de3a929d135f28c5565b160bad94f4d35aaaa8802
Opcode Fuzzy Hash: 1a907acb1fa98a66dd901838c9a078ea6343356667b135ab082930949d786538
Instruction Fuzzy Hash: 41111AB290120EAFDF11CFA8DD49BDA7BAAFB49754F054115FA05A2060C3758E60EB60

Function 00F63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F63379,00F62FE5), ref: 00F63390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F6339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F633B7
SetLastError.KERNEL32(00000000,?,00F63379,00F62FE5), ref: 00F63409

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d0c276f23b44184933cd18f29dbad822b870cd38dc14a257357ae65d59f78996
Instruction ID: 72092f3311e2fd7dda37a4316069d6454316678b1d71c3572d26f844b1590476
Opcode Fuzzy Hash: d0c276f23b44184933cd18f29dbad822b870cd38dc14a257357ae65d59f78996
Instruction Fuzzy Hash: 0301F733A093117EFA267774BD8AA673BA4EB06379B20032AF510812E0EF174D11F684

Function 00F72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F75686,00F83CD6,?,00000000,?,00F75B6A,?,?,?,?,?,00F6E6D1,?,01008A48), ref: 00F72D78
_free.LIBCMT ref: 00F72DAB
_free.LIBCMT ref: 00F72DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F6E6D1,?,01008A48,00000010,00F44F4A,?,?,00000000,00F83CD6), ref: 00F72DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F6E6D1,?,01008A48,00000010,00F44F4A,?,?,00000000,00F83CD6), ref: 00F72DEC
_abort.LIBCMT ref: 00F72DF2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 57d64e6b68fdd36e7ca3126f54ccb3cf38343832e12a1a2dd0eba2b2695f333d
Instruction ID: c1e76b79eff0356c5243d7b26ec2f5737a95b3e4f6be92cef1ae766d45f9b235
Opcode Fuzzy Hash: 57d64e6b68fdd36e7ca3126f54ccb3cf38343832e12a1a2dd0eba2b2695f333d
Instruction Fuzzy Hash: 31F0F43290560137C6B23339AC06E5E366AABC27B0F24C11BF92C921D6EE288841B163

Function 00FD8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596A2
Part of subcall function 00F59639: BeginPath.GDI32(?), ref: 00F596B9
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FD8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FD8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FD8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FD8A80
EndPath.GDI32(?), ref: 00FD8A90
StrokePath.GDI32(?), ref: 00FD8AA0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ecf9f08ca72f5f243e5eccca6181027a56688aeb496131f691063091e120f913
Instruction ID: 2a894404c3f131c21e37ea4499b8e1acbeeb74388ffc69d69d4c07366766a188
Opcode Fuzzy Hash: ecf9f08ca72f5f243e5eccca6181027a56688aeb496131f691063091e120f913
Instruction Fuzzy Hash: 1A111E7640114DFFDF119FA0DC48E9A7F6EEF04350F048012BA1596161C7769D55EFA0

Function 00FA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FA5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FA5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA5230
ReleaseDC.USER32(00000000,00000000), ref: 00FA5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FA524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FA5261

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: aa8f9f2a5baa1c74b6c6f085163da4fc100faff84fef4e67e3788cada2323110
Instruction ID: 3c6337e9c221b59c6a9eca22a39d2a200e55686bddb5003eff033e9227699a7d
Opcode Fuzzy Hash: aa8f9f2a5baa1c74b6c6f085163da4fc100faff84fef4e67e3788cada2323110
Instruction Fuzzy Hash: 7C018FB5E01719BBEB10ABB59C49B4EBFB9EF48751F044066FA04E7280D6709800DBA0

Function 00F41BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F41BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F41BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F41C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F41C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F41C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F41C22

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction ID: 71e2f77f04591c19ede8edb9babd957f25ec4984bcf17efb6265c54cc84ef98f
Opcode Fuzzy Hash: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction Fuzzy Hash: 0E0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FAEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FAEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FAEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB75

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3b61627246edccf8c42cb6b725a3cc83ad9ec30afcfa537f260f3adbb2120d3a
Instruction ID: 70de74f41f5609f01e546ff4690768b0be8ba1b0d0538c9dd98a5775af0c2a51
Opcode Fuzzy Hash: 3b61627246edccf8c42cb6b725a3cc83ad9ec30afcfa537f260f3adbb2120d3a
Instruction Fuzzy Hash: EDF0307254216DBBEB215B629C0DEEF7B7DEFCAB11F00015AF601D1091D7A05A01E6F5

Function 00F97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F97452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F97469
GetWindowDC.USER32(?), ref: 00F97475
GetPixel.GDI32(00000000,?,?), ref: 00F97484
ReleaseDC.USER32(?,00000000), ref: 00F97496
GetSysColor.USER32(00000005), ref: 00F974B0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 67159d5eb3f178ec61ce40d3b4616206de2a7a460131001d8f29e9589a51d57d
Instruction ID: 7b339be14878f4f436a3803566799c54c812e3eb02f0f6169836f99595af2a1f
Opcode Fuzzy Hash: 67159d5eb3f178ec61ce40d3b4616206de2a7a460131001d8f29e9589a51d57d
Instruction Fuzzy Hash: F701A23240521AEFEB50AF74DC08BAD7BB6FF04321F540161F915A21A1CB311D41FB90

Function 00FA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FA187F
UnloadUserProfile.USERENV(?,?), ref: 00FA188B
CloseHandle.KERNEL32(?), ref: 00FA1894
CloseHandle.KERNEL32(?), ref: 00FA189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA18A5
HeapFree.KERNEL32(00000000), ref: 00FA18AC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e47372024a67f6e1e21d25978ccf0d95d84a7c362f21ecce3f6bcf7564212a3e
Instruction ID: 4ffa26b8b2407c89698450a1bcba326cf5918127a1253f62e3027904171a1be3
Opcode Fuzzy Hash: e47372024a67f6e1e21d25978ccf0d95d84a7c362f21ecce3f6bcf7564212a3e
Instruction Fuzzy Hash: A0E0ED3604511AFBDB016FB2ED0C905BF3AFF497227108222F225810B1CB325420EF90

Function 00FAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC6EE
_wcslen.LIBCMT ref: 00FAC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FAC7CA

Strings

0, xrefs: 00FAC6AF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a283a9955145ba2aecc73aada822d5d87a1b4d5489e30a163e1189bdc90c6897
Instruction ID: 381a16b59f51ced2722106ad4e55b4fb1a7a8624bf2901c67c31ba5a41900a0c
Opcode Fuzzy Hash: a283a9955145ba2aecc73aada822d5d87a1b4d5489e30a163e1189bdc90c6897
Instruction Fuzzy Hash: B051AFB1A043019BD715DE28C885B6B7BE8AF4A324F040A2DF995D7291DB78D904EFD2

Function 00FCAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FCAEA3

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

GetProcessId.KERNEL32(00000000), ref: 00FCAF38
CloseHandle.KERNEL32(00000000), ref: 00FCAF67

Strings

<, xrefs: 00FCAE6B
@, xrefs: 00FCAE72

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e4bc8daca5affd6e332a6461c4b936991c8d7cad17d86e32d3ac4a518089b67d
Instruction ID: 6134ca24177baad75cb62e7e4f4e2c197268efe191b860994f9999bdd777b11e
Opcode Fuzzy Hash: e4bc8daca5affd6e332a6461c4b936991c8d7cad17d86e32d3ac4a518089b67d
Instruction Fuzzy Hash: 2A716771A0061ADFCB14EF64C986A9EBBF0EF08314F04849DE816AB352C779ED45DB91

Function 00FA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FA723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FA724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA72CF

Strings

DllGetClassObject, xrefs: 00FA7242

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 646c0736fb4ab03dbe98a3b49a6798ca77de4e444025a5f477fcf9cb673e6fb1
Instruction ID: 6632f206c0c98f1eb9e8572401aba0e593ddde3fb48f1433ea521a50c9e350a8
Opcode Fuzzy Hash: 646c0736fb4ab03dbe98a3b49a6798ca77de4e444025a5f477fcf9cb673e6fb1
Instruction Fuzzy Hash: 42418DB1A043049FDB15DF54CC84F9A7BE9EF45310F1480AABD059F24AD7B0D945EBA0

Function 00FD3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3E35
IsMenu.USER32(?), ref: 00FD3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3E92
DrawMenuBar.USER32 ref: 00FD3EA5

Strings

0, xrefs: 00FD3D89

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 09fc70d76bdacda55fe503c7470af9eea3fa142de70fd5e3a4b547fcc80f4483
Instruction ID: 9eaca0f4e5e2ae03ee0b1fdd92dc096fcd5d2c686d2229a96ee1601958c21487
Opcode Fuzzy Hash: 09fc70d76bdacda55fe503c7470af9eea3fa142de70fd5e3a4b547fcc80f4483
Instruction Fuzzy Hash: 45414D75A01209AFDB10DF60D884A9AB7B6FF45360F08411AEA1597390D734AE44EF91

Function 00FA1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FA1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FA1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FA1EA9

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Strings

ComboBox, xrefs: 00FA1DF0
ListBox, xrefs: 00FA1E25

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e0e2b6e8eefc59f28680e6cf5d0232d45ff31b6ea75876645cdbfb2a5ffff4f4
Instruction ID: 55943e4895654a4b881b98683822d52b5380836061beef14644cb8816ddf28fb
Opcode Fuzzy Hash: e0e2b6e8eefc59f28680e6cf5d0232d45ff31b6ea75876645cdbfb2a5ffff4f4
Instruction Fuzzy Hash: A121E5B1A00108BADB14AB64DC86CFFBBB9EF46360F144119FD25A71E1DB785909BA60

Function 00FCC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FCC9F1
_wcslen.LIBCMT ref: 00FCCA68
_wcslen.LIBCMT ref: 00FCCA9E
_wcslen.LIBCMT ref: 00FCCAF9
_wcslen.LIBCMT ref: 00FCCB2F
_wcslen.LIBCMT ref: 00FCCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00FCCA62, 00FCCA67
HKLM, xrefs: 00FCCA98, 00FCCA9D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 8212b445a5f0bc2cb9213bf407d018c0cc8b93eac8d361f625d2c449fa0e0f82
Instruction ID: 065ebd9ecc07bce2234d266cc7ce676262f7b05d3a00cd4c5eedc458c49b4481
Opcode Fuzzy Hash: 8212b445a5f0bc2cb9213bf407d018c0cc8b93eac8d361f625d2c449fa0e0f82
Instruction Fuzzy Hash: 8E31F733E0016B4ADB20EE6DDE66ABE37915B61760F05401DE889AB245E67DDD40B3E0

Function 00FD2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD2F8D
LoadLibraryW.KERNEL32(?), ref: 00FD2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD2FA9
DestroyWindow.USER32(?), ref: 00FD2FB1

Strings

SysAnimate32, xrefs: 00FD2F68

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 678b2e2699e8b41449a2ffa0f92266197a43fff7c20191d777fb47fada44bd20
Instruction ID: 62724d6270d0cc40e8b526c0ffe6b309a32d53fc814bdea141ddbf8a3a9fce9c
Opcode Fuzzy Hash: 678b2e2699e8b41449a2ffa0f92266197a43fff7c20191d777fb47fada44bd20
Instruction Fuzzy Hash: 4D21DE71704209ABEB104F64DC80EBB37BAEF69334F140A1AF954D6290C771DC41B7A0

Function 00F64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F64D1E,00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002), ref: 00F64D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F64DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F64D1E,00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000), ref: 00F64DC3

Strings

mscoree.dll, xrefs: 00F64D86
CorExitProcess, xrefs: 00F64D98

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b9a56c3dbde097d2a2ece74b20fdd88827678dab514fa1c6d70b06e23f732e93
Instruction ID: a2a781307a38e4181a53d5b7a9d57c11a5ff944e6803a091bedf2f3f447a9ec8
Opcode Fuzzy Hash: b9a56c3dbde097d2a2ece74b20fdd88827678dab514fa1c6d70b06e23f732e93
Instruction Fuzzy Hash: 08F04F34A4121DBBDB119FA1DC49BAEBBB9EF44752F0401A5F805A2250CF75A980EBD1

Function 00F44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F44EAE
FreeLibrary.KERNEL32(00000000,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F44EA8
kernel32.dll, xrefs: 00F44E94

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f5eac970062153b9ddb06297d2c2ea7e342e7571e9806f109f7813454dc39ad9
Instruction ID: 11a3e6eef6915fdf737457b59a11c8c461f87d8c2558598317cc08a0f3256468
Opcode Fuzzy Hash: f5eac970062153b9ddb06297d2c2ea7e342e7571e9806f109f7813454dc39ad9
Instruction Fuzzy Hash: EDE08C36E026339BD2225B35AC1CB6BBA59AF81B72B090117FC00E2250DF60DD02E0E1

Function 00F44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F44E74
FreeLibrary.KERNEL32(00000000,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F44E6E
kernel32.dll, xrefs: 00F44E5B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f1822f05e2c94e754ab1d4ec119dcd3ba9221d4733379df2779f103cb01aadc4
Instruction ID: 9c3df3e97a083602b56d5d30d36037001b52279ef1ed29fee2e101055b2a52a7
Opcode Fuzzy Hash: f1822f05e2c94e754ab1d4ec119dcd3ba9221d4733379df2779f103cb01aadc4
Instruction Fuzzy Hash: 18D01235903633575A221B356C18F8B7F19AF85B653050617BD05F7155CF61DD01E5D0

Function 00FB2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2C05
DeleteFileW.KERNEL32(?), ref: 00FB2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2CC0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 746d6ef5225dfb4824e1513da3f38a363c193ed06ee4a1875926f9b778dd99a4
Instruction ID: 00d59028011cb3efe5d947afda8a6fdd9d8ec4a1f9f650a0ba915307c0a8fc02
Opcode Fuzzy Hash: 746d6ef5225dfb4824e1513da3f38a363c193ed06ee4a1875926f9b778dd99a4
Instruction Fuzzy Hash: 84B16F72E0011DABDF11EFA5CC85EDEBB7DEF48350F1040A6FA09E6151EA349A449F61

Function 00FCA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FCA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FCA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FCA468
CloseHandle.KERNEL32(?), ref: 00FCA63D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ab213dd880863854339d9859e9ba20e06327c84e097a75261127143d66520551
Instruction ID: fe7622760cded2c9bcac9441af47c67ad778fe48906cb9297c7ae89cb4d3045d
Opcode Fuzzy Hash: ab213dd880863854339d9859e9ba20e06327c84e097a75261127143d66520551
Instruction Fuzzy Hash: 67A1D0716043019FD720DF24C986F2AB7E1AF84724F14881DF99A9B392DBB5EC05DB92

Function 00FAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACF22,?), ref: 00FADDFD

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACF22,?), ref: 00FADE16

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FAE473
MoveFileW.KERNEL32(?,?), ref: 00FAE4AC
_wcslen.LIBCMT ref: 00FAE5EB
_wcslen.LIBCMT ref: 00FAE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FAE650

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e8f4693c4ed0fd2baccd06f2eaa5463d1bc59b6123c0de546333c3ac997f0886
Instruction ID: 529c6fd50ad3f3cee8d7e8e1124ed0a1837ece560361674bcb8518705080c00f
Opcode Fuzzy Hash: e8f4693c4ed0fd2baccd06f2eaa5463d1bc59b6123c0de546333c3ac997f0886
Instruction Fuzzy Hash: EE5182F25083459BC724EBA4DC819DFB3ECAF85350F00491EF689D3151EF78A6889766

Function 00FCB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FCBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FCBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FCBBB3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 23d298a815530643d51dfce31ebc1d14c3fdd8b8129b2c66421af5d064e5ba9b
Instruction ID: 2f4de27edb817e67572f6e955ad8aeef19ad952adb79e942d24b7a208254b20f
Opcode Fuzzy Hash: 23d298a815530643d51dfce31ebc1d14c3fdd8b8129b2c66421af5d064e5ba9b
Instruction Fuzzy Hash: 5561C535608242AFC314DF14C996F2ABBE5FF84314F14855CF4998B292CB35ED45DB92

Function 00FA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA8BCD
VariantClear.OLEAUT32 ref: 00FA8C3E
VariantClear.OLEAUT32 ref: 00FA8C9D
VariantClear.OLEAUT32(?), ref: 00FA8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FA8D3B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c69088b4cc08b3cfd3edecb41d7e70472c61e47dce50b87530259c77634bcd79
Instruction ID: aa5ab59f4cfc28a6e587215d87bf8beba0418230e3e4d6738dfcea3b54378763
Opcode Fuzzy Hash: c69088b4cc08b3cfd3edecb41d7e70472c61e47dce50b87530259c77634bcd79
Instruction Fuzzy Hash: 9B516CB5A0021AEFCB14CF68C894AAAB7F9FF89350B158559F905DB350E770E912CF90

Function 00FB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FB8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FB8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FB8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FB8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FB8C5F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 40e4080c4adc2eb043fd9df49e66e77544eee1ec15b2a6b9695152cbcde92d49
Instruction ID: c1c4a4d4af6312aaa2ee4a53dfce124d9ed3412f2ff8bb8c5ebf67906c74b060
Opcode Fuzzy Hash: 40e4080c4adc2eb043fd9df49e66e77544eee1ec15b2a6b9695152cbcde92d49
Instruction Fuzzy Hash: 23515C75A002199FCB00EF65C881AADBBF5FF48314F088459E849AB362CB35ED41EF90

Function 00FC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FC8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FC8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FC8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FC9032
FreeLibrary.KERNEL32(00000000), ref: 00FC9052

Part of subcall function 00F5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FB1043,?,753CE610), ref: 00F5F6E6
Part of subcall function 00F5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F9FA64,00000000,00000000,?,?,00FB1043,?,753CE610,?,00F9FA64), ref: 00F5F70D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 99d52cd91843ed05ac799d9135ad4ec8d1e47f2325403a94a6d41efb10c5b503
Instruction ID: b2201e93d3325f503f411a4ac4ddcbe0293c909af218aad6c18fd77756e5caca
Opcode Fuzzy Hash: 99d52cd91843ed05ac799d9135ad4ec8d1e47f2325403a94a6d41efb10c5b503
Instruction Fuzzy Hash: 92515B35A05206DFC701DF68C585DADBBF1FF49324B088099E8099B362DB75ED86EB90

Function 00FD6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FD6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FD6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FD6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FBAB79,00000000,00000000), ref: 00FD6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FD6CC7

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cd028815462476e164ca5f9d0e6654764210926fedbd06ed30672d6294a0c2b7
Instruction ID: ba3215584f75b94eb0f2e43883d2621f603a932845ba93453bb678aad0a86a63
Opcode Fuzzy Hash: cd028815462476e164ca5f9d0e6654764210926fedbd06ed30672d6294a0c2b7
Instruction Fuzzy Hash: F841A235A14104AFD724CF38CC44FA97BA6EB49361F19026AF999E73E0C771AD41EA80

Function 00F72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F720C3
_free.LIBCMT ref: 00F720E3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4d61a5e81623e451b68cd008ab4f7466f0f91647e33c3f3819c5589d50a48124
Instruction ID: 6291b773314e40fc3ce93ed3238e3a8c63749346c20906a10b05698dab035144
Opcode Fuzzy Hash: 4d61a5e81623e451b68cd008ab4f7466f0f91647e33c3f3819c5589d50a48124
Instruction Fuzzy Hash: 2A41E632E002009FCB20DF78C881A5DB3F5EF89320F1585AAEA19EB351D731AD01EB91

Function 00FB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FB38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FB3922
TranslateMessage.USER32(?), ref: 00FB394B
DispatchMessageW.USER32(?), ref: 00FB3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3966

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 16636be3ae03864d780817b70ff568248bf203dcc2f0382909df702a914a97e5
Instruction ID: 0d29ca04c556c4696f7f7bd16b20ee7e5bff3052e323a99c437526007dcc1986
Opcode Fuzzy Hash: 16636be3ae03864d780817b70ff568248bf203dcc2f0382909df702a914a97e5
Instruction Fuzzy Hash: 1E312971D84346EEEB39CB36D848BF637A9AB01310F04415DE5A2C2094E7B9A684EF11

Function 00FBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FBCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFF2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 6836ed25f000aa7ea1a0ebb74e349d3cbb36896692df77ca15e05ec833d82e3b
Instruction ID: c0b6fc01cbe4487290a03453cfc6487a9eb51ae7848886044e94acdccd573d16
Opcode Fuzzy Hash: 6836ed25f000aa7ea1a0ebb74e349d3cbb36896692df77ca15e05ec833d82e3b
Instruction Fuzzy Hash: 11314D71A00206AFDB20DFA6C884ABBBBFAEB14351B1044AEF516D2140D730AD45EFB0

Function 00FA1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FA19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FA19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FA19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FA19E2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction ID: 93f1b515079dd89fde2d016f480583b28cd85b328f56152472c3baddf9407dde
Opcode Fuzzy Hash: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction Fuzzy Hash: AB31B3B190021DEFCB10CFA8CD59ADE3BB5FB09325F114225F925A72D1C7709954EB90

Function 00FD5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FD5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FD579D
_wcslen.LIBCMT ref: 00FD57AF
_wcslen.LIBCMT ref: 00FD57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD5816

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5763a3c3c1b7d731af9fbaff6aa4a945630af561166029a17d16c65944a9d398
Instruction ID: 3fd28d9a243d3c0d96dd1a737f9ce766a05a2cf8546f1b86bad9fe6c9e9967e9
Opcode Fuzzy Hash: 5763a3c3c1b7d731af9fbaff6aa4a945630af561166029a17d16c65944a9d398
Instruction Fuzzy Hash: A521A231D04618DADB20DFA4CC85AEE77BAFF05B20F148217E929EB280D7749985EF51

Function 00FC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC0951
GetForegroundWindow.USER32 ref: 00FC0968
GetDC.USER32(00000000), ref: 00FC09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FC09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FC09E8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9e00da558408cd139956ae5d0843fb5a6f2531c8cd860de95314cdae8b83635c
Instruction ID: 1f1e817b426fb840501c1f85ac07aa7ccada190bcb409ba7959f805222333b63
Opcode Fuzzy Hash: 9e00da558408cd139956ae5d0843fb5a6f2531c8cd860de95314cdae8b83635c
Instruction Fuzzy Hash: CF215E35600214AFD714EF65CD85AAEBBE5EF44700F048069F84A97752CA34EC04EB90

Function 00F7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F7CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7CDE9

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F7CE0F
_free.LIBCMT ref: 00F7CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7CE31

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e036c21a6cf6090beab55bb69204c797f9848e7c6939e17cd68b2f93948cb10a
Instruction ID: 09b8d7bbc49bc202a70c2fd87aff2acb9b3080c13f4be878111d3920939e37ba
Opcode Fuzzy Hash: e036c21a6cf6090beab55bb69204c797f9848e7c6939e17cd68b2f93948cb10a
Instruction Fuzzy Hash: 9C018472A026157F272116BA6C88D7B7A6DDFC6BB1315812FF909C7201EA658D02B1F2

Function 00F59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
SelectObject.GDI32(?,00000000), ref: 00F596A2
BeginPath.GDI32(?), ref: 00F596B9
SelectObject.GDI32(?,00000000), ref: 00F596E2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 90435018efa6e75880ddf3e0e300316dfe6f8a27d5c6c37479759729795a2f10
Instruction ID: 4cb788a48e0bf471adc7d0a6872aa79cd423513e60851324b6177fe23ce19784
Opcode Fuzzy Hash: 90435018efa6e75880ddf3e0e300316dfe6f8a27d5c6c37479759729795a2f10
Instruction Fuzzy Hash: 57219531C16306EFDB299F34DC097A97BA6BB00326F100216FA60961E4D3BD5859EF90

Function 00FA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA5726
_memcmp.LIBVCRUNTIME ref: 00FA5744
_memcmp.LIBVCRUNTIME ref: 00FA5757
_memcmp.LIBVCRUNTIME ref: 00FA576F
_memcmp.LIBVCRUNTIME ref: 00FA5787

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e53b1a7d86ea1316e803e1374eacd076308fbae5c00cde4a1760366fe40c3475
Instruction ID: 5919772c3d9165507e2c2e2275b3124691c6510d7a25313b8e6ade90ce18fda4
Opcode Fuzzy Hash: e53b1a7d86ea1316e803e1374eacd076308fbae5c00cde4a1760366fe40c3475
Instruction Fuzzy Hash: F401F9E2641A0DFBD21851109D42FBB734DAB62BB4F084021FD16BE341F720ED14B2A1

Function 00F72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F6F2DE,00F73863,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6), ref: 00F72DFD
_free.LIBCMT ref: 00F72E32
_free.LIBCMT ref: 00F72E59
SetLastError.KERNEL32(00000000,00F41129), ref: 00F72E66
SetLastError.KERNEL32(00000000,00F41129), ref: 00F72E6F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7a268b2f610d6a963427b8138d56a29ac631a77bc40e62aacc68fa8cfb3cea82
Instruction ID: 64b70eb0c449ed306835022a56d8cfb862a6f2fbf63c52ba20f1d424b38e8822
Opcode Fuzzy Hash: 7a268b2f610d6a963427b8138d56a29ac631a77bc40e62aacc68fa8cfb3cea82
Instruction Fuzzy Hash: 8F01F93250560177D65327396C45D2B366AABC5371B24C12BF96D921C6EF298C41B163

Function 00FA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?,?,00FA035E), ref: 00FA002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?), ref: 00FA0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0070

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: bc2f5200010b38f4d2533d33de1bee8ba924ae760fc21e90134e300871ff6726
Instruction ID: 4df98cbcec28dc3f3fad4f03fde4d5ff15ce20b6a160444fc74614f86c7107aa
Opcode Fuzzy Hash: bc2f5200010b38f4d2533d33de1bee8ba924ae760fc21e90134e300871ff6726
Instruction Fuzzy Hash: 86018FB2601609BFDB104F68EC04FAA7BBEEB44761F148125F905D2210DB71DD40FBA0

Function 00FAE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FAE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FAE9A5
Sleep.KERNEL32(00000000), ref: 00FAE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FAE9B7
Sleep.KERNEL32 ref: 00FAE9F3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 87b5fdf6ad4a35f5c2b6896b5369782e0f3612194f046d03862e1a6b6289c41c
Instruction ID: 82f1e20f8d9bfe96c9a31615443832e1fe602270ae29a32534fe538ef8196caf
Opcode Fuzzy Hash: 87b5fdf6ad4a35f5c2b6896b5369782e0f3612194f046d03862e1a6b6289c41c
Instruction Fuzzy Hash: 09015771C0262EDBCF00ABF5DC49AEEBB79BF0E311F000546E502B2241CB309550EBA1

Function 00FA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ee762e25340f7fa357034d0a825f13517399269d263f04369be2c4d889bc1f92
Instruction ID: 75ac2c51fa3dadebf21084d601c20ba49552c04d13c9cbd77bce39410b903e14
Opcode Fuzzy Hash: ee762e25340f7fa357034d0a825f13517399269d263f04369be2c4d889bc1f92
Instruction Fuzzy Hash: 49016D7550121ABFDB114F65DC49A6A3B6EFF86374B110415FA45C3360DA31DC00EAA0

Function 00FA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA1002

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 65d6febbbd34acacd00147774d3e15f540c9c709e17a568b8ae0a684ea026a5e
Instruction ID: 459e2ef554686e596fa33ed941259face21b627db8f63868130dd36009441889
Opcode Fuzzy Hash: 65d6febbbd34acacd00147774d3e15f540c9c709e17a568b8ae0a684ea026a5e
Instruction Fuzzy Hash: 00F0A97520131AEBDB210FB59C4DF563BAEFF8A762F114416FA49C6291CA30DC40EAA0

Function 00FA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1062

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f51192bb858ee6f94c2a443c1b49afcadf8fb09e6dd3a3b704dfdf4f45a54db8
Instruction ID: 9398a725e4b21fac3b0c01b130f80502e52045b3548b95f27c770c0004a4110f
Opcode Fuzzy Hash: f51192bb858ee6f94c2a443c1b49afcadf8fb09e6dd3a3b704dfdf4f45a54db8
Instruction Fuzzy Hash: 0EF0CD7520131AEBDB211FB5EC4CF563BAEFF8A761F114416FA45C7290CA70D840EAA0

Function 00FB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0324
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0331
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB033E
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB034B
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0358
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0365

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 47556a8275a4acb740a206071221734f91a604b925333a9cc98e9e7cdda3ccca
Instruction ID: 3ffec99fe3ed25faec96e067f08414e3abe353d234e51e498245f55bff34eb19
Opcode Fuzzy Hash: 47556a8275a4acb740a206071221734f91a604b925333a9cc98e9e7cdda3ccca
Instruction Fuzzy Hash: CB01A272801B159FC730AF66D890457F7F5BF503253198A3FD19652931CB71A954EF80

Function 00F7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7D752

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7D764
_free.LIBCMT ref: 00F7D776
_free.LIBCMT ref: 00F7D788
_free.LIBCMT ref: 00F7D79A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff97ceb1c79c382ed8f096ef67138512558bdaeaa1916e2fb907988ab13db04c
Instruction ID: 5193733973461c0909bb089f75f8368653853ec5a887681f201b73c133efe1c9
Opcode Fuzzy Hash: ff97ceb1c79c382ed8f096ef67138512558bdaeaa1916e2fb907988ab13db04c
Instruction Fuzzy Hash: 48F031329002046B8669EB68FAC5C1677FDBF44330FD8880AF14CE7505C729FC816766

Function 00FA5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FA5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FA5C6F
MessageBeep.USER32(00000000), ref: 00FA5C87
KillTimer.USER32(?,0000040A), ref: 00FA5CA3
EndDialog.USER32(?,00000001), ref: 00FA5CBD

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 225eab1076b9832c59756b889aecf8c8ae0ead7038198d0fd6c7d38db23da82a
Instruction ID: f39954bf7c3da5390212cc7d226914639bdb4bbb0f9e2e9a188dc130298f8030
Opcode Fuzzy Hash: 225eab1076b9832c59756b889aecf8c8ae0ead7038198d0fd6c7d38db23da82a
Instruction Fuzzy Hash: CE01DB715007049BEB205B30ED4EF9677B9FB01F15F00025AA543A10E1D7F4A944EA90

Function 00F722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F722BE

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F722D0
_free.LIBCMT ref: 00F722E3
_free.LIBCMT ref: 00F722F4
_free.LIBCMT ref: 00F72305

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1b7b9b0939683de59835d79ef961ab54cb7c7e47c3b8a0cf1b27b6c3183b84d
Instruction ID: 997299f20f20c1bd7dc5e79f5d142ca15cfc6e31c0105941a539251c34515b6b
Opcode Fuzzy Hash: b1b7b9b0939683de59835d79ef961ab54cb7c7e47c3b8a0cf1b27b6c3183b84d
Instruction Fuzzy Hash: B6F030B08011108B9667AF78F8028487B74B718760F05464BF5D8D22ADC73E0591BBA6

Function 00F595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F595D4
StrokeAndFillPath.GDI32(?,?,00F971F7,00000000,?,?,?), ref: 00F595F0
SelectObject.GDI32(?,00000000), ref: 00F59603
DeleteObject.GDI32 ref: 00F59616
StrokePath.GDI32(?), ref: 00F59631

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction ID: 1e44e754196e959efff1c6c6f71b33e92dadd93d441fb3562be9ebf3171154b6
Opcode Fuzzy Hash: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction Fuzzy Hash: B1F0313140A209DBDB2A5F75ED0C7643B63AB00332F048215FAA5550F4C7798559EF60

Function 00F70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F710F9
__freea.LIBCMT ref: 00F71117

Part of subcall function 00F71537: _free.LIBCMT ref: 00F7154F

Strings

am/pm, xrefs: 00F7117A
a/p, xrefs: 00F711DE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 427719f160c2c41d996b0810c0bb368a49d2747d9bbc240cd2a844dc901ae92b
Instruction ID: 7ed07ae6fd2a515472748e7176682fa97e122b745938d7c3cc3fd723e8f1af13
Opcode Fuzzy Hash: 427719f160c2c41d996b0810c0bb368a49d2747d9bbc240cd2a844dc901ae92b
Instruction Fuzzy Hash: D6D1F232D00205DADB649F6CC895BFAB7B5FF05320F28811BE509AB641D3759D88EB53

Function 00FC7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F60242: EnterCriticalSection.KERNEL32(0101070C,01011884,?,?,00F5198B,01012518,?,?,?,00F412F9,00000000), ref: 00F6024D
Part of subcall function 00F60242: LeaveCriticalSection.KERNEL32(0101070C,?,00F5198B,01012518,?,?,?,00F412F9,00000000), ref: 00F6028A

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00F600A3: __onexit.LIBCMT ref: 00F600A9

__Init_thread_footer.LIBCMT ref: 00FC7BFB

Part of subcall function 00F601F8: EnterCriticalSection.KERNEL32(0101070C,?,?,00F58747,01012514), ref: 00F60202
Part of subcall function 00F601F8: LeaveCriticalSection.KERNEL32(0101070C,?,00F58747,01012514), ref: 00F60235

Strings

Variable must be of type 'Object'., xrefs: 00FC7C3A
5, xrefs: 00FC7C78
G, xrefs: 00FC7C7F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 7bbad8701438173b558e09e41a5cb0bc93e7da4fa11a61e940c29fc8da948576
Instruction ID: a03d63ffdd35aad9a1e2ada7563b59a27d7095cb3b7620a59483c50e0a82b5fa
Opcode Fuzzy Hash: 7bbad8701438173b558e09e41a5cb0bc93e7da4fa11a61e940c29fc8da948576
Instruction Fuzzy Hash: 20918E71A0420AAFCB14EF54DA92EADB7B1FF44310F14805DF8469B292DB35AE41EF51

Function 00FA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA21D0,?,?,00000034,00000800,?,00000034), ref: 00FAB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FA2760

Part of subcall function 00FAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FAB3F8

Part of subcall function 00FAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FAB355
Part of subcall function 00FAB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FA2194,00000034,?,?,00001004,00000000,00000000), ref: 00FAB365
Part of subcall function 00FAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FA2194,00000034,?,?,00001004,00000000,00000000), ref: 00FAB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA281A

Strings

@, xrefs: 00FA2832

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 249559e9f6f1d77ca0abb0e4f95d0381bbaf215dff18aa43caa8a86ac6fe059f
Instruction ID: f296e138ce1a00c910168fa03c3a422b2d1cc06c5d5a78a993f4adc4c97e8843
Opcode Fuzzy Hash: 249559e9f6f1d77ca0abb0e4f95d0381bbaf215dff18aa43caa8a86ac6fe059f
Instruction Fuzzy Hash: 2F411CB2A00218AFDB10DFA4CD45AEEBBB8EF0A710F104055FA55B7181DB746F45DBA1

Function 00F7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00F71769
_free.LIBCMT ref: 00F71834
_free.LIBCMT ref: 00F7183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00F71760, 00F71767, 00F71796, 00F717CE

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 5d5e99db6c78e83ce05d0dbfcc7a03f4dfa904258819ecb3eea6a2342864a8a3
Instruction ID: f57e8d70cf5711c1fec551a5378ec932665dfd0e5b107c38a58ee75bb52c2dcc
Opcode Fuzzy Hash: 5d5e99db6c78e83ce05d0dbfcc7a03f4dfa904258819ecb3eea6a2342864a8a3
Instruction Fuzzy Hash: B7318171E00218ABDB25DFADDC81D9EBBBCFB85320B148167F90897201D6748A45EB92

Function 00FAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FAC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FAC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01011990,018A5430), ref: 00FAC395

Strings

0, xrefs: 00FAC2DF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b9c270536c2a72776f606b1f6d3edaa7da9798903ae87935067ccfbdac3300d4
Instruction ID: b0ce36ca7edb05870b2dfe8ada5c1ba69093c232d3e2261d53581953ba3f9946
Opcode Fuzzy Hash: b9c270536c2a72776f606b1f6d3edaa7da9798903ae87935067ccfbdac3300d4
Instruction Fuzzy Hash: AA41C3B16083019FDB20DF25DC44B1ABBE8AF86320F04861DF9A5972D1D774E904EBA2

Function 00FD4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FDCC08,00000000,?,?,?,?), ref: 00FD44AA
GetWindowLongW.USER32 ref: 00FD44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD44D7

Strings

SysTreeView32, xrefs: 00FD447C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 59f82aa011bcb18e23ea14bfabf670f54dea035c67d99bf02e6ef11b8cdbf749
Instruction ID: bee2b1e564c7711daa338eeaaa1a227043615186030747b0d1f8296cd17f385a
Opcode Fuzzy Hash: 59f82aa011bcb18e23ea14bfabf670f54dea035c67d99bf02e6ef11b8cdbf749
Instruction Fuzzy Hash: E5319E31610205AFDF259E38DC45BEA7BAAEB09334F284716FD79922D0D774EC90AB50

Function 00FC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FC3077,?,?), ref: 00FC3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
_wcslen.LIBCMT ref: 00FC309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FC3106

Strings

255.255.255.255, xrefs: 00FC3095, 00FC309A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8728de1b6e000609b0f101be897e03adff597788f26d61a8d153030319a59d03
Instruction ID: 8d32cf167f352eb274460f5798e2a00e20847e6e6a0a7e06335f4d38cebdaef3
Opcode Fuzzy Hash: 8728de1b6e000609b0f101be897e03adff597788f26d61a8d153030319a59d03
Instruction Fuzzy Hash: 1931E936A042069FC710CF28CA86F6A77E1EF54368F18C05DE9168B392D776DE41E761

Function 00FD3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FD3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FD3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD3F78

Strings

SysMonthCal32, xrefs: 00FD3F0B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7e31ae669a8cec873b3e481a5db914ac8e9549e769758e312d2b8cf6989210db
Instruction ID: ac96a588fe2b39502332312a48fbe2250e76cf952d25b7b38998ce2f6f3899d9
Opcode Fuzzy Hash: 7e31ae669a8cec873b3e481a5db914ac8e9549e769758e312d2b8cf6989210db
Instruction Fuzzy Hash: AA21AD32A00219BBDF258F60CC46FEA3B76EB48724F150215FA55AB2C0D6B5AC50EB90

Function 00FD4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FD4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FD4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD471A

Strings

msctls_updown32, xrefs: 00FD4684

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6235d77e0b218cd231aa298fee5c92d856fe214fb675bda7d4527114fc9ec3d0
Instruction ID: df61df5fc433ea10179ecf722eb67c02a12bd34acf324414ed47bbac4c79ba3a
Opcode Fuzzy Hash: 6235d77e0b218cd231aa298fee5c92d856fe214fb675bda7d4527114fc9ec3d0
Instruction Fuzzy Hash: 21214CB5600209AFDB10DF64DCC1DA637AEEB4A3A4B04005AFA109B351CB35FC11EB60

Function 00FA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA961D

Strings

#requireadmin, xrefs: 00FA95D9
#notrayicon, xrefs: 00FA95B7
#OnAutoItStartRegister, xrefs: 00FA95F3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e8873d7b5c4a6f6eb07dac5e25580514750d140d7c8966204e540f01f9c5eb99
Instruction ID: d911c297265cc2ba3c05ff555b260228b89914431d9eee6b4399bf1ac62ab601
Opcode Fuzzy Hash: e8873d7b5c4a6f6eb07dac5e25580514750d140d7c8966204e540f01f9c5eb99
Instruction Fuzzy Hash: EF216BB29082116AD331BA24DC02FB773DC9F92310F04443AF94997241EBD59D45F291

Function 00FD37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FD3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FD3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FD3876

Strings

Listbox, xrefs: 00FD380F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ba37e6b368ab8bc2207181d3cb8c8b209c5705a52ea74fcbfe1e523dedbf80c5
Instruction ID: 22621c4fcdd0230efab087a774b77a83ceeeb8ceb7e49646b9757b9ea2c1c55b
Opcode Fuzzy Hash: ba37e6b368ab8bc2207181d3cb8c8b209c5705a52ea74fcbfe1e523dedbf80c5
Instruction Fuzzy Hash: 7621C272A10119BBEF218F64CC45FBB376FEF89760F148115FA449B290C676DC52A7A0

Function 00FB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FB4A5C
SetErrorMode.KERNEL32(00000000,?,?,00FDCC08), ref: 00FB4AD0

Strings

%lu, xrefs: 00FB4A6F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4b497a0f76fed4978a7ea4faa658f0ffca953484182e5603b702cfd1d66ed35f
Instruction ID: 1cae62c546629df4175582d690366c09f9dfcbbfc966c9bf2030feb88dcbc9f0
Opcode Fuzzy Hash: 4b497a0f76fed4978a7ea4faa658f0ffca953484182e5603b702cfd1d66ed35f
Instruction Fuzzy Hash: EF318071A00109AFD710DF64C985EAE7BF8EF04308F144095E905DB252D775ED46DBA1

Function 00FD41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FD424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FD4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FD4271

Strings

msctls_trackbar32, xrefs: 00FD4226

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c76ef6b7d323d5a2f7210f1d62a581f4d8b671c65aa3025440b184e64525f496
Instruction ID: ef6fec3100511124960a034aa7c74051b76e87872ad1332da76dacd7f3d1981e
Opcode Fuzzy Hash: c76ef6b7d323d5a2f7210f1d62a581f4d8b671c65aa3025440b184e64525f496
Instruction Fuzzy Hash: 58110232640248BFEF215F39CC06FAB3BADEF95B64F150125FA95E6190D671EC11AB20

Function 00FA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Part of subcall function 00FA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2DC5
Part of subcall function 00FA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2DD6
Part of subcall function 00FA2DA7: GetCurrentThreadId.KERNEL32 ref: 00FA2DDD
Part of subcall function 00FA2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2DE4

GetFocus.USER32 ref: 00FA2F78

Part of subcall function 00FA2DEE: GetParent.USER32(00000000), ref: 00FA2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FA2FC3
EnumChildWindows.USER32(?,00FA303B), ref: 00FA2FEB

Strings

%s%d, xrefs: 00FA2FFF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: b913a80a503a6d8e022a6938abca24e613f85a9d31b74bab4e437423f681fe2a
Instruction ID: 44bf4f2a382c6f6c322208bc9353be49da053d55e3bf7bd7a319cb7ade1fd1a4
Opcode Fuzzy Hash: b913a80a503a6d8e022a6938abca24e613f85a9d31b74bab4e437423f681fe2a
Instruction Fuzzy Hash: ED1190B17002096BDF546F748C85EEE376AAF85308F048075BD099B292DE349949EB61

Function 00FD5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD58EE
DrawMenuBar.USER32(?), ref: 00FD58FD

Strings

0, xrefs: 00FD588F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: aa6a7a08256f01fa23a931f16028396ddb62bfc297e87b8f2a6df1d4bb358661
Instruction ID: c11fd843100888cbef5bfb586770b8a9ab846c1376d4f7ad55a8c33969976cf0
Opcode Fuzzy Hash: aa6a7a08256f01fa23a931f16028396ddb62bfc297e87b8f2a6df1d4bb358661
Instruction Fuzzy Hash: 2D01C431900208EFDB109F11DC45BAEBBB6FF45761F08809AE848D6251DB308A89FF21

Function 00F9D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F9D3BF
FreeLibrary.KERNEL32 ref: 00F9D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F9D3B9
X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b5f54e65d4e2c7495cb6411dd5bf1c696e6d3711f2112cbd97268cce5816d568
Instruction ID: beef8661986d27180d476ee30d7a8afcc0f5bc1d14ce568a9671bfc6934589a4
Opcode Fuzzy Hash: b5f54e65d4e2c7495cb6411dd5bf1c696e6d3711f2112cbd97268cce5816d568
Instruction Fuzzy Hash: 48F0E573C026229BFF7917308C58E693315AF10746BB9815AFA42E6149DB60CD44F6D2

Function 00FA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47938c7854f96ace8e3396e5ba9d8834a9884665305cbee0cf6662ab04e48b26
Instruction ID: a202a09bb43b336e083d3c71f6a92eacf96c99cf663ce63073f3fb23e61d831f
Opcode Fuzzy Hash: 47938c7854f96ace8e3396e5ba9d8834a9884665305cbee0cf6662ab04e48b26
Instruction Fuzzy Hash: 18C15BB5A0020AEFDB14CFA4D894BAEB7B5FF49314F208598E505EB251DB31ED41EB90

Function 00F73E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F73F0B
__alldvrm.LIBCMT ref: 00F7410C
__alldvrm.LIBCMT ref: 00F7412E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 602ccb9083fb203126a3f9224da2adb99aa5cde3432702f41af832db801ae719
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: D2A18B32D003469FD716DF18CC917AEBBE4EF21360F14816FE5598B281C378A981E752

Function 00FC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FC3459
CoUninitialize.OLE32 ref: 00FC3463
VariantInit.OLEAUT32(?), ref: 00FC346E
VariantClear.OLEAUT32(?), ref: 00FC371B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8ecdbcae4980d92d0bfcb8e8b3b4ae95da6829a7273d580bcb55adf1723abb6a
Instruction ID: 84ab8b0b83401bf2cef9be895a299dc0c15852f71ac9970e7a2c5512dab280bb
Opcode Fuzzy Hash: 8ecdbcae4980d92d0bfcb8e8b3b4ae95da6829a7273d580bcb55adf1723abb6a
Instruction Fuzzy Hash: 81A12B756043119FC700EF24C985E1ABBE5EF88764F08885DF9899B362DB34ED05EB91

Function 00FA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA0608
CLSIDFromProgID.OLE32(?,?,00000000,00FDCC40,000000FF,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA062D
_memcmp.LIBVCRUNTIME ref: 00FA064E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5654eca9994ad00b68148e8aeacdc525c5121eacb4bb419ca6d7db893351cc7c
Instruction ID: b71e00f49d4c400d148bfaa1068a7ea1c8644e61c17399a6f502e3d8b2a6de25
Opcode Fuzzy Hash: 5654eca9994ad00b68148e8aeacdc525c5121eacb4bb419ca6d7db893351cc7c
Instruction Fuzzy Hash: 968129B5E00109EFCB04DF94C988EEEB7B9FF89315F244558E506AB250DB71AE06DB60

Function 00FCA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FCA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FCA6BA

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FCA79C
CloseHandle.KERNEL32(00000000), ref: 00FCA7AB

Part of subcall function 00F5CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F83303,?), ref: 00F5CE8A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fa9cb32f34da5b4feea0b5b2ac7123cb6ce8f30fa552d809f11b2d26d8319564
Instruction ID: 94671397d3c2e9ae9ec86235a81825da48c8078d6b305f24f3b063120d3d9bef
Opcode Fuzzy Hash: fa9cb32f34da5b4feea0b5b2ac7123cb6ce8f30fa552d809f11b2d26d8319564
Instruction Fuzzy Hash: AA514771508301AFD310EF24CC86A6BBBE8FF89754F00491DF98597292EB74E904DB92

Function 00F81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F814C0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 45d53b3ed245412ec0f3058b1d68089a0dfbeff1e472506e0b11328f30adb561
Instruction ID: 297f5b3f6228d8a86e9e4c38ebe2187410dd3a6ff12de89b801c42d596960848
Opcode Fuzzy Hash: 45d53b3ed245412ec0f3058b1d68089a0dfbeff1e472506e0b11328f30adb561
Instruction Fuzzy Hash: A9411931E00100ABDB21FBB99C45AFE3BADFF46370F144326F419D6192E67848527762

Function 00FD6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FD62E2
ScreenToClient.USER32(?,?), ref: 00FD6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FD6382

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: dbcd4fc136b91e58c5df5c4a72d06345f6339cb1041b367169eb1f449f60edee
Instruction ID: ddf506078ec7f52f921e65d73f10535f5640902a484621034d0f897e5484df8c
Opcode Fuzzy Hash: dbcd4fc136b91e58c5df5c4a72d06345f6339cb1041b367169eb1f449f60edee
Instruction Fuzzy Hash: 56514A74A00209AFCF24DF68D8809AE7BB6FB55360F14825AF925DB390D731ED41EB90

Function 00FC1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FC1AFD
WSAGetLastError.WSOCK32 ref: 00FC1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FC1B8A
WSAGetLastError.WSOCK32 ref: 00FC1B94

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d4226d67b9722bbea110c218ddd8c2d4a2518ab423406d28965c23d96cecfc87
Instruction ID: 1d2251ec97830d12e5ac6103507b940f222a5487a3b10308209338e23dd2f035
Opcode Fuzzy Hash: d4226d67b9722bbea110c218ddd8c2d4a2518ab423406d28965c23d96cecfc87
Instruction Fuzzy Hash: DA419034A00201AFE720AF24C886F257BE5AB85718F54844CFA1A9F3D3D776DD41DB90

Function 00F7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e3894e18d69eeb7677d02635c25d8be07af6da16ed91648038983d8df1badd
Instruction ID: 3c716350610cbe1aafe40e1718c687bddce826e28dd484a802a322eef6ede8a6
Opcode Fuzzy Hash: 05e3894e18d69eeb7677d02635c25d8be07af6da16ed91648038983d8df1badd
Instruction Fuzzy Hash: 44411B71A00304BFD724DF38CC41BAA7BF9EB85720F10862BF549DB282D775A9019791

Function 00FB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FB5783
GetLastError.KERNEL32(?,00000000), ref: 00FB57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FB57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FB57FA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1c7e254af290cf3477677eabb3f90b02830915db1ec8d570f358a13c9fb0702d
Instruction ID: 088761c57d9ee95af85e47cc651e56ed4e5c2eeb00797e648d37de79a0941463
Opcode Fuzzy Hash: 1c7e254af290cf3477677eabb3f90b02830915db1ec8d570f358a13c9fb0702d
Instruction Fuzzy Hash: 7A41FA35600615DFCB11EF15C944A59BBE2EF49720B198888EC4A9F366CB39FD40EB91

Function 00F7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F66D71,00000000,00000000,00F682D9,?,00F682D9,?,00000001,00F66D71,8BE85006,00000001,00F682D9,00F682D9), ref: 00F7D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F7D9AB
__freea.LIBCMT ref: 00F7D9B4

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5c9f55c684b1fcad8cd88aa5579d257a35577363228d75ce20d024de04a8a64d
Instruction ID: 38fdbd8f1de8329efde17dfc2df7663d51e5898dba0853ab56e513d2a7201f58
Opcode Fuzzy Hash: 5c9f55c684b1fcad8cd88aa5579d257a35577363228d75ce20d024de04a8a64d
Instruction Fuzzy Hash: 1C31C072A0021AABDB259F64DC41EAE7BB5EF40320F15826AFD08D6150EB39DD50EB91

Function 00FD52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FD5352
GetWindowLongW.USER32(?,000000F0), ref: 00FD5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD53A8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 32bd63780c70773293d01cb28122231cb028ced1a600f6870c6a7af470556189
Instruction ID: 672b26d23204f95c4a1227bdd1896c05f3516f17851197de81b3b52c1ab4a23d
Opcode Fuzzy Hash: 32bd63780c70773293d01cb28122231cb028ced1a600f6870c6a7af470556189
Instruction Fuzzy Hash: 0B31C035E55A0CEFEB349A64CC06BE87767AB04BA0F5C4103FA50963E1C7B59990FB81

Function 00FAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FAABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FAAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FAAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FAACC6

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction ID: 63333c286218b2c178c1c551cf15a5cec6751d38e2094a310d7262bf9222abff
Opcode Fuzzy Hash: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction Fuzzy Hash: F931F8B0E446186FFF258B658C047FA7BA6AB46330F04431AE485921D1D379C989F792

Function 00FD7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FD769A
GetWindowRect.USER32(?,?), ref: 00FD7710
PtInRect.USER32(?,?,00FD8B89), ref: 00FD7720
MessageBeep.USER32(00000000), ref: 00FD778C

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 03f8ecb84f53bea525ef1ecef8d12c151cd44ca137a380dcec00f746b1e7dab1
Instruction ID: c52eb56497e3b77ee32c57fa9e6df1fbb8e53d875b5ed16e25c141fb1f229f73
Opcode Fuzzy Hash: 03f8ecb84f53bea525ef1ecef8d12c151cd44ca137a380dcec00f746b1e7dab1
Instruction Fuzzy Hash: 6641B134A093159FCB11EF68C884EA9BBF2BB48310F1844AAE5648F350E335E941EB90

Function 00FD16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FD16EB

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

GetCaretPos.USER32(?), ref: 00FD16FF
ClientToScreen.USER32(00000000,?), ref: 00FD174C
GetForegroundWindow.USER32 ref: 00FD1752

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a6db3f6cef213972a696f5d85d626b4b8c14d5110b39bea00c372dc8f9e64bb7
Instruction ID: 394b424a02523cb1767b17967ec7da8edec6885450c0af85b41e902bf55e00b9
Opcode Fuzzy Hash: a6db3f6cef213972a696f5d85d626b4b8c14d5110b39bea00c372dc8f9e64bb7
Instruction Fuzzy Hash: 3F316F75D01249AFC700EFA9C881CAEBBF9EF49304B5480AAE815E7211D735DE45DBA0

Function 00FADF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

_wcslen.LIBCMT ref: 00FADFCB
_wcslen.LIBCMT ref: 00FADFE2
_wcslen.LIBCMT ref: 00FAE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FAE018

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 8642b64a9a11bca216cd6db152cb2eda9fae0b490e18fa8790c05aa07dc64c2d
Instruction ID: 44b83441495f614f5622cdae815e807a8e2179025e48d0174059f0e584780dbb
Opcode Fuzzy Hash: 8642b64a9a11bca216cd6db152cb2eda9fae0b490e18fa8790c05aa07dc64c2d
Instruction Fuzzy Hash: 4D21E5B1D00214AFCB10EFA8CD82BAEB7F8EF46720F104065E905BB245D6749E41EBA1

Function 00FD8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

GetCursorPos.USER32(?), ref: 00FD9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F97711,?,?,?,?,?), ref: 00FD9016
GetCursorPos.USER32(?), ref: 00FD905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F97711,?,?,?), ref: 00FD9094

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5d5caefb78e39c8b7710c898a322c4d73e0b9de5ea61debf0ab42d553ba8602b
Instruction ID: a3247601bafc98e3283cb717fed0028c504e39e2b8b7030e1ba302b7fd754afd
Opcode Fuzzy Hash: 5d5caefb78e39c8b7710c898a322c4d73e0b9de5ea61debf0ab42d553ba8602b
Instruction Fuzzy Hash: F321B131604018FFCB259FB4D848EEA3BBAEF49360F088156FA0587261C3759950EB60

Function 00FAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FDCB68), ref: 00FAD2FB
GetLastError.KERNEL32 ref: 00FAD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FDCB68), ref: 00FAD376

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d1afe9434461d4a39fc03314483b8c11cbc87db72f42ebdf773d530dfec56241
Instruction ID: 08d1478f509f86d0cecfe0646bd2dd6ab8e87de3230724c472e640860c713ef6
Opcode Fuzzy Hash: d1afe9434461d4a39fc03314483b8c11cbc87db72f42ebdf773d530dfec56241
Instruction Fuzzy Hash: 3321A3B49093029F8B00DF28C88146EBBE4EF57364F504A1EF49AC72A1D731D945EB93

Function 00FA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA102A
Part of subcall function 00FA1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1036
Part of subcall function 00FA1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1045
Part of subcall function 00FA1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA104C
Part of subcall function 00FA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FA15BE
_memcmp.LIBVCRUNTIME ref: 00FA15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1617
HeapFree.KERNEL32(00000000), ref: 00FA161E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3251927d878f16885badb14843d4a5e96a8612b8a91b087eadaa1cc219bea98d
Instruction ID: 46854b8fba13507ac5c1c9cd4871cadf573d1dd157b478f49311680218dd1d09
Opcode Fuzzy Hash: 3251927d878f16885badb14843d4a5e96a8612b8a91b087eadaa1cc219bea98d
Instruction Fuzzy Hash: A7218CB1E41109EFDF10DFA4C945BEEB7B9FF45354F0A4459E441AB241E730AA05EBA0

Function 00FD2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FD280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FD2840

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5a9759af554970502d396f0022c69bc3edd49ffd37bfe66ba3f770d6aaf8b497
Instruction ID: 2fb946dfc0bfd8ca4c4e67832736ea9d39e828629beac4c71466dfb616729b4c
Opcode Fuzzy Hash: 5a9759af554970502d396f0022c69bc3edd49ffd37bfe66ba3f770d6aaf8b497
Instruction Fuzzy Hash: 3721F131605111AFD7549B24CC44FAA7B96EF55324F18825AF8268B3E2CB79FC42EBD0

Function 00FA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FA790A,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?), ref: 00FA8D8C
Part of subcall function 00FA8D7D: lstrcpyW.KERNEL32(00000000,?,?,00FA790A,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA8DB2
Part of subcall function 00FA8D7D: lstrcmpiW.KERNEL32(00000000,?,00FA790A,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?), ref: 00FA8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA7923
lstrcpyW.KERNEL32(00000000,?,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA7984

Strings

cdecl, xrefs: 00FA797B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9cc4d06f77e38d6e6c42cbfe53b1ca7d5f120acc814c59a69509aaa361a43a70
Instruction ID: 4838c5cf434de1afa39ee4c30b6f126faff4ebcf305f86262e658b11fe092118
Opcode Fuzzy Hash: 9cc4d06f77e38d6e6c42cbfe53b1ca7d5f120acc814c59a69509aaa361a43a70
Instruction Fuzzy Hash: CF11067A201302ABDB15AF34CC45E7B77AAFF4A390B00402BF942C7264EB319812E791

Function 00FD7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FD7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FD7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FD7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FBB7AD,00000000), ref: 00FD7D6B

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0e794c59d924480bc0e340c76f7557cf521dc094cc54d43590411721ae2c4e9a
Instruction ID: 963442dc14e614095becd1271c34d566b90aa38ce21f156861e2e2fc1777cf46
Opcode Fuzzy Hash: 0e794c59d924480bc0e340c76f7557cf521dc094cc54d43590411721ae2c4e9a
Instruction Fuzzy Hash: B211D232605715AFCB10AF38CC04A663BA7AF45370B194326F93ADB2E0E7358910EB80

Function 00FD5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FD56BB
_wcslen.LIBCMT ref: 00FD56CD
_wcslen.LIBCMT ref: 00FD56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD5816

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: de823a2d4a07865f00401333b51eb7493eae8980a4eaff5e9403402942615ba0
Instruction ID: d3376e18a5b2d6d43e5fbf99643563121049c50388b6e457c67f16bee21a3fd2
Opcode Fuzzy Hash: de823a2d4a07865f00401333b51eb7493eae8980a4eaff5e9403402942615ba0
Instruction Fuzzy Hash: 95110672A0060896DF20DF75CC81AEE376DEF11B70B18402BF915D6281EB74C980EF61

Function 00F71D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2902bfdba2676dcb6b4cbf4fbd954fa77413e7d3e6f5c2477c78a847ff72b6d
Instruction ID: 892dc209b460ec2241f6fcae6c2f0b0863d1c673442d3631ec919c3f6d697721
Opcode Fuzzy Hash: e2902bfdba2676dcb6b4cbf4fbd954fa77413e7d3e6f5c2477c78a847ff72b6d
Instruction Fuzzy Hash: 9501DFB260561A3EFA21267C6CC1F27772DEF453B8F348327F528A21C2DB648C487562

Function 00FA1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A8A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction ID: f9621ef2c6d05a8931c646427c3e5c2ae99d42da08f7330b3672e3c0ea8f8f60
Opcode Fuzzy Hash: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction Fuzzy Hash: F3113C7AD01219FFEB10DBA4CD85FADBB78FB04750F210091E604B7290D6716E50EB94

Function 00FAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FAE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FAE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FAE24D

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9c08cc3c70ebdc4a747aa73dce2a79bce8d2a256a4f740266ae551438d89f986
Instruction ID: d22446dcd13b10727a1652b8cb7087b68e86a18d3f78a7ee850eab70110642a0
Opcode Fuzzy Hash: 9c08cc3c70ebdc4a747aa73dce2a79bce8d2a256a4f740266ae551438d89f986
Instruction Fuzzy Hash: 1E1108B2D0425DBBC7159FB8DC09B9E7FADDB46324F008216F914D3284D2B9C90097A0

Function 00F6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F6CFF9,00000000,00000004,00000000), ref: 00F6D218
GetLastError.KERNEL32 ref: 00F6D224
__dosmaperr.LIBCMT ref: 00F6D22B
ResumeThread.KERNEL32(00000000), ref: 00F6D249

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 851286881f1166c188f154c37f39f0ba7c4f57fd6d718c89a0a739b50af300ed
Instruction ID: 535e1a9763deb82eec6d37dbe9ffd9b0bcf65aed50b809f5a20289a2a9e06872
Opcode Fuzzy Hash: 851286881f1166c188f154c37f39f0ba7c4f57fd6d718c89a0a739b50af300ed
Instruction Fuzzy Hash: 8A01D236E05208BBDB116BA5DC09BAA7B69EF82330F104219F925921D0CB71C941E7A1

Function 00FD9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

GetClientRect.USER32(?,?), ref: 00FD9F31
GetCursorPos.USER32(?), ref: 00FD9F3B
ScreenToClient.USER32(?,?), ref: 00FD9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FD9F7A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7483894a7fdae465efb8d639f01da33153d17b4f4951cc5dbc931e9d1a72eef9
Instruction ID: d8c88dd38667004137be9136add2b87416190e78e50ed22179c550d8012973ba
Opcode Fuzzy Hash: 7483894a7fdae465efb8d639f01da33153d17b4f4951cc5dbc931e9d1a72eef9
Instruction Fuzzy Hash: E5115A3290411ABBDB14DFA8D8499EE77BEFF45311F440552F911E3240D374BA81EBA1

Function 00F4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
GetStockObject.GDI32(00000011), ref: 00F46060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f37ef73f829010dcaa859c826cd2834b915f9838691cfd12d4f83d330fe9d26b
Instruction ID: 2bee0e9f37d5d1c353083a27f04fdf1f41b6e837a5610023e067b3a744b2f5c0
Opcode Fuzzy Hash: f37ef73f829010dcaa859c826cd2834b915f9838691cfd12d4f83d330fe9d26b
Instruction Fuzzy Hash: D4115E72502509BFEF125FA89C44AEABF6AEF09365F040216FE1492110D736DC60EB91

Function 00F63B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F63B56

Part of subcall function 00F63AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F63AD2
Part of subcall function 00F63AA3: ___AdjustPointer.LIBCMT ref: 00F63AED

_UnwindNestedFrames.LIBCMT ref: 00F63B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F63B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F63BA4

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d014ef5fffb95e99a1d5588d228506e7e46806061907e2a4f472a161a901ff4e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C401E932500149BBDF126E95CC46EEB7B69EF99764F044014FE4896121C736E961FBA0

Function 00F73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F413C6,00000000,00000000,?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue), ref: 00F730A5
GetLastError.KERNEL32(?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue,00FE2290,FlsSetValue,00000000,00000364,?,00F72E46), ref: 00F730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue,00FE2290,FlsSetValue,00000000), ref: 00F730BF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b2e8c2744e116047ba2b73965a6040a9e8b1a46fe890f2754b4a83c400ca61ff
Instruction ID: 0c4ed3b621cd8eaf6521bfa76ecfff03bf1f15ab2585501bbf74ae4c2c2ef3d6
Opcode Fuzzy Hash: b2e8c2744e116047ba2b73965a6040a9e8b1a46fe890f2754b4a83c400ca61ff
Instruction Fuzzy Hash: 1F012B32752237BBCB314B799C44A577B99AF05B75B208722F90DE7180D721D901F6E1

Function 00FA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FA747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FA7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FA74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FA74CA

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction ID: 518067caab4f43f6e9b181224ed1a54689ce0db79be864f4e75a808014b085fa
Opcode Fuzzy Hash: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction Fuzzy Hash: 7F1161F520A315DFE720EF24DD09F927BFCEB05B04F10856AAA56D6191D770E904EBA0

Function 00FAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB126

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 784b9cdb666ca9c1be629a178a59e6262f05a0c66624a023fc677edc46f8eed6
Instruction ID: 2420747e6e2f042dc4e82dc0a6e547a18a25aab2d2ea2c18da03479c1f1e3d19
Opcode Fuzzy Hash: 784b9cdb666ca9c1be629a178a59e6262f05a0c66624a023fc677edc46f8eed6
Instruction Fuzzy Hash: 5B115B71C0152DE7CF00AFE5E9586EEBF78FF0A711F108096D941B2182CB305650EB91

Function 00FD7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FD7E33
ScreenToClient.USER32(?,?), ref: 00FD7E4B
ScreenToClient.USER32(?,?), ref: 00FD7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD7E8A

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0fccab910d3bae94ad383e9bc273c031d928a502ebe0b6c7c8244e840279defc
Instruction ID: 86e23a032664c892fe31ea362329612a73e4de5746ff63856dcb9e0f84813761
Opcode Fuzzy Hash: 0fccab910d3bae94ad383e9bc273c031d928a502ebe0b6c7c8244e840279defc
Instruction Fuzzy Hash: 781113B9D0024AAFDB41DFA8C884AEEBBF5FB08310F505156E915E3210D735AA55DF90

Function 00FA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2DD6
GetCurrentThreadId.KERNEL32 ref: 00FA2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2DE4

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction ID: 554677d33bef9acd5fb445cfd6919ecf5dc549f4088b96b842475b6a01a585c2
Opcode Fuzzy Hash: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction Fuzzy Hash: 76E06DB26022297ADB201B779C0DFEB3F6DEF43BA1F000016B509D10819AA4C840E6F0

Function 00FD8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596A2
Part of subcall function 00F59639: BeginPath.GDI32(?), ref: 00F596B9
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FD8887
LineTo.GDI32(?,?,?), ref: 00FD8894
EndPath.GDI32(?), ref: 00FD88A4
StrokePath.GDI32(?), ref: 00FD88B2

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e705bcc34697778792c5f5e917170c148fac1b5f27908201e50282dcc4c8cae1
Instruction ID: 2d0daca3b0d857225bd9d666d4816ba819d7b318afef7c315d28bbedbbee5cd1
Opcode Fuzzy Hash: e705bcc34697778792c5f5e917170c148fac1b5f27908201e50282dcc4c8cae1
Instruction Fuzzy Hash: F9F03A36046259FADB125FA4AC0DFCE3B5AAF06311F048002FB11A51E1C7BA5511EBE5

Function 00F598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F598CC
SetTextColor.GDI32(?,?), ref: 00F598D6
SetBkMode.GDI32(?,00000001), ref: 00F598E9
GetStockObject.GDI32(00000005), ref: 00F598F1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f520ed3297fe70097f9e091b5c2f7aee33b965c61431270d31814b4d2f08025e
Instruction ID: 52e3b317d40af3a297694235ee8c7ca6aae593c6e4a0e3498a7d0be693acd6b1
Opcode Fuzzy Hash: f520ed3297fe70097f9e091b5c2f7aee33b965c61431270d31814b4d2f08025e
Instruction Fuzzy Hash: B2E06532645395AAEF215B74BC09BD83F11AB11736F08821AF6F5540E1C3714640EB10

Function 00FA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FA1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FA11D9), ref: 00FA163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FA11D9), ref: 00FA1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FA11D9), ref: 00FA164F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 59b41143f236e93c6fa6b54494f86106faeb434a5525df2633535b851b3f81dc
Instruction ID: 2fb1ae6736fe54361a3f60c57abe01d3d273836a48178a033dfcc75759fbda48
Opcode Fuzzy Hash: 59b41143f236e93c6fa6b54494f86106faeb434a5525df2633535b851b3f81dc
Instruction Fuzzy Hash: 60E08671A03216DBD7202FF09E0DB463B7DBF457A2F154809F245C9080D6344440E790

Function 00F9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F9D858
GetDC.USER32(00000000), ref: 00F9D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9D882
ReleaseDC.USER32(?), ref: 00F9D8A3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 24d8339d4c388b3c375de99e5963c875ee0929fc348bef045ce66aa6514261c8
Instruction ID: a4163ecf06345ebdb0d5d7cba521854b528d2c0587361f5aada2b23f749cdbe3
Opcode Fuzzy Hash: 24d8339d4c388b3c375de99e5963c875ee0929fc348bef045ce66aa6514261c8
Instruction Fuzzy Hash: 35E01AB180220ADFCF41AFB0D80C66DBBB6FB08311F24800AE80AE7250C7388905FF90

Function 00F9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F9D86C
GetDC.USER32(00000000), ref: 00F9D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9D882
ReleaseDC.USER32(?), ref: 00F9D8A3

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7930260c5db0ea359d55ab11376c8c0ae5a6cae586ed1a5594b23ad82078e56
Instruction ID: 210ba5cd1230dceab46044e11cccb2675adbfb1c5a3fdc6aabc31500971eccc5
Opcode Fuzzy Hash: a7930260c5db0ea359d55ab11376c8c0ae5a6cae586ed1a5594b23ad82078e56
Instruction Fuzzy Hash: 9EE09A75802209DFCB51AFB0D80C66DBBB6FB08311B14944AE94AE7254C7399905FF90

Function 00FB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FB4ED4

Strings

LPT, xrefs: 00FB4DFB
*, xrefs: 00FB4E10

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 28fb33c09469ff9e13d7ee9f9227ff8786336fecd2f731ec637d61be78e8f4f9
Instruction ID: 8c0fe2f76ff9b6c02aac727f085f2913fcbdd448aa18211c24c0dff7df8f7925
Opcode Fuzzy Hash: 28fb33c09469ff9e13d7ee9f9227ff8786336fecd2f731ec637d61be78e8f4f9
Instruction Fuzzy Hash: D3914B75A002149FCB14DF59C984EAABBF1AF48314F198099E80A9F3A2C735ED85DF91

Function 00F6E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F6E30D

Strings

pow, xrefs: 00F6E2E5, 00F6E302

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d28bcab09331b24efd3eb1db761a769766b9d4b2c0b2185fc4dc6cb3ce18b313
Instruction ID: 20c9d4b9e8e64b59101d28ef0e7a68ea34ecff6dfbf987c43918806a1ca08609
Opcode Fuzzy Hash: d28bcab09331b24efd3eb1db761a769766b9d4b2c0b2185fc4dc6cb3ce18b313
Instruction Fuzzy Hash: E7515E67E1C30196CB157714CD4237A3B99AB40760F30C96AE0D9873E9EF354C95BA87

Function 00FC7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00F9569E,00000000,?,00FDCC08,?,00000000,00000000), ref: 00FC78DD

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

CharUpperBuffW.USER32(00F9569E,00000000,?,00FDCC08,00000000,?,00000000,00000000), ref: 00FC783B

Strings

<s, xrefs: 00FC77C8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-4213590918
Opcode ID: 480c57ba2538e10d9f81012c4769f541967fcd1283311093293a3f13a38f6f16
Instruction ID: 96a5229eadfff3f18581976384787301201a173096072d1e63aebf4108de93f6
Opcode Fuzzy Hash: 480c57ba2538e10d9f81012c4769f541967fcd1283311093293a3f13a38f6f16
Instruction Fuzzy Hash: 5261317291421AAACF04FFA4CD92EFDB774BF14300B545129E942B7191EB386A05EBA1

Function 00F5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F5E1B1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2e21b175a0e6e9aad40c320861dd50567785f0cebadc90a87241768fa9330774
Instruction ID: f6c279d41cb35a52c52a885ed9028c2bb1e17e8121d0e56815fd9bbf0292b2c3
Opcode Fuzzy Hash: 2e21b175a0e6e9aad40c320861dd50567785f0cebadc90a87241768fa9330774
Instruction Fuzzy Hash: CB513535D04346DFEF19DFA8C4816FA7BA8EF16320F244055ED619B2C0D6349E46EBA2

Function 00F5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F5F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F5F2BB

Strings

@, xrefs: 00F5F2AF

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c67dcbeef0f789ad0ba845c4d45917a09ebe2226575768d3e68c403773878766
Instruction ID: d36f6a8659e82a4a379c35074c25bd9e4f602b61683757f4307f04a59384748b
Opcode Fuzzy Hash: c67dcbeef0f789ad0ba845c4d45917a09ebe2226575768d3e68c403773878766
Instruction Fuzzy Hash: 615166714097489BD320AF54DC86BABBBF8FF84310F81884DF5D941195EB358528DB67

Function 00FC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FC57E0
_wcslen.LIBCMT ref: 00FC57EC

Strings

CALLARGARRAY, xrefs: 00FC57E6, 00FC57EB

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c474e50f86db14c0130dc036c41956eadef4754854f82a4cb89a026f125f3859
Instruction ID: 3fca790127421973587c2d933986b46cb07efd6187136ebd734311f5a326bc3a
Opcode Fuzzy Hash: c474e50f86db14c0130dc036c41956eadef4754854f82a4cb89a026f125f3859
Instruction Fuzzy Hash: 3241A371E0010A9FCB14DFA8C982EBEBBB5EF59760F14405DF505A7291D734AD81EBA0

Function 00FBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FBD13A

Strings

|, xrefs: 00FBD10B

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6c624d0f020d877ca9e8a3c5e0c5959bc0bc3e0d48022e9265991feb7770f459
Instruction ID: 7844fed17e9c79ee1b82ca2eab6b1403bdad48b49896b38e814b4775b78546b8
Opcode Fuzzy Hash: 6c624d0f020d877ca9e8a3c5e0c5959bc0bc3e0d48022e9265991feb7770f459
Instruction Fuzzy Hash: 30315C71D00209ABDF15EFA5CC85AEEBFB9FF05310F000019F815A6162EB35AA06EF65

Function 00FD356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FD3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FD365C

Strings

static, xrefs: 00FD35BC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d1ca289f7715d3d39137dcea50ff204b9e576b04e9d58d1110216300194c55db
Instruction ID: cfe5a7b52abd5f6bb5b3e7ebdc5b3d8b5d58e3dc1700f17b02b9161fc681e2d5
Opcode Fuzzy Hash: d1ca289f7715d3d39137dcea50ff204b9e576b04e9d58d1110216300194c55db
Instruction Fuzzy Hash: 0D318D71510604AEDB109F38DC81FFB73AAFF88760F04961AF9A597280DA35ED81E761

Function 00FD4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FD461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD4634

Strings

', xrefs: 00FD458E

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ffdc0e40038bdc682c8815f290e7f67eb2c2481a19bd011eda7390d91bfc6632
Instruction ID: 67e698e758890f890fba7e31aae9aa833399596a985d57542cc404d8803fd1b1
Opcode Fuzzy Hash: ffdc0e40038bdc682c8815f290e7f67eb2c2481a19bd011eda7390d91bfc6632
Instruction Fuzzy Hash: 50314974A0020A9FDF14CF69D980BDABBB6FF09300F18406AE905AB381D730E901DF90

Function 00FD31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD3287

Strings

Combobox, xrefs: 00FD3249

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c090b47fcb8dd6cf9325ea9c30874194ee86a4e03fd82f9a99d6981cfaf21fd3
Instruction ID: dc8525519bc31dcfdcb216709ffa181f2b8d2b6d7bc0d07a68243f73b9aa98d3
Opcode Fuzzy Hash: c090b47fcb8dd6cf9325ea9c30874194ee86a4e03fd82f9a99d6981cfaf21fd3
Instruction Fuzzy Hash: 7711E272B002087FFF219F54DC80EBB3B6BEB983A5F14412AFA1897390D6359D51A760

Function 00FD3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
Part of subcall function 00F4600E: GetStockObject.GDI32(00000011), ref: 00F46060
Part of subcall function 00F4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

GetWindowRect.USER32(00000000,?), ref: 00FD377A
GetSysColor.USER32(00000012), ref: 00FD3794

Strings

static, xrefs: 00FD3757

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 73e4a22ffaa92d1176df983dc5cfaa246755bdd816483c9d1ee1461ea165dde6
Instruction ID: 48f4113ad9ebff633ec2720c3d03e955949e9c0acd7872a4dfac6d9d20d2d231
Opcode Fuzzy Hash: 73e4a22ffaa92d1176df983dc5cfaa246755bdd816483c9d1ee1461ea165dde6
Instruction Fuzzy Hash: 661129B261060AAFDF00DFB8CC46AEA7BB9EB08354F044516FE55E2250D735E851EB61

Function 00FBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FBCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FBCDA6

Strings

<local>, xrefs: 00FBCD66

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a7468711d98d928b33e0ee459af8595e21f00b5fac97d94e8abee5b419e6ee2b
Instruction ID: f0e9d710e17a0b26d306bc66b64ad98a2a3abc49da39f77ab9115ff64c95a71c
Opcode Fuzzy Hash: a7468711d98d928b33e0ee459af8595e21f00b5fac97d94e8abee5b419e6ee2b
Instruction Fuzzy Hash: 6A1106766016367AD7344B678C44FE7BE6DEF167B4F40422AB16983080D7709840EAF0

Function 00FD3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FD34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD34BA

Strings

edit, xrefs: 00FD348F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9eb2547906e39445bbb84b1a7d1b3ff1c0276a2430fa5086b7b5fe6bf77ce575
Instruction ID: 07000f095f3f13c896c4f9655ed4100bb46ad2a00beb57e6f76ea9895ca8bcc4
Opcode Fuzzy Hash: 9eb2547906e39445bbb84b1a7d1b3ff1c0276a2430fa5086b7b5fe6bf77ce575
Instruction Fuzzy Hash: C511BF71500108AFEB118E64EC40AEB3B6BEB06374F544326FA60932D4C779DC51A752

Function 00FA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FA6CB6
_wcslen.LIBCMT ref: 00FA6CC2

Strings

STOP, xrefs: 00FA6CBC, 00FA6CC1

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: cc202633acb14ff4d08e817a975b7b32080a39d4b15144e781eb1f2fdaf10369
Instruction ID: 983bc9fae856d0a0f79cbfb9d5e09e2746932594367d8db9012ca773b80554e7
Opcode Fuzzy Hash: cc202633acb14ff4d08e817a975b7b32080a39d4b15144e781eb1f2fdaf10369
Instruction Fuzzy Hash: 43012272A0452B8BCB20AFBDDC809BF37B5EF62770B090528E962D3195EB35D900E650

Function 00FA1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FA1D4C

Strings

ComboBox, xrefs: 00FA1CEB
ListBox, xrefs: 00FA1D16

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 617fca191d7dd11a69a110c2557a5fea1264c430d370e83afa0486ac498693df
Instruction ID: cc9a2320bda846a6d493d5529d595992b96e1e4f50129c63a3b67db230c2b1ad
Opcode Fuzzy Hash: 617fca191d7dd11a69a110c2557a5fea1264c430d370e83afa0486ac498693df
Instruction Fuzzy Hash: 8E0128B5B11229ABCB04EBA4CC51DFF77A8FF03360F000609F872572C1EA745908AA60

Function 00FA1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FA1C46

Strings

ComboBox, xrefs: 00FA1BE5
ListBox, xrefs: 00FA1C10

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 09506c317ebbad6138e42e08b54ad345b2874dc64f5072b15ba7923d7501ce4a
Instruction ID: 88ab8276f092aec8d371cfa0c5352bb8dfd31f811e9b8396271edcce3b779856
Opcode Fuzzy Hash: 09506c317ebbad6138e42e08b54ad345b2874dc64f5072b15ba7923d7501ce4a
Instruction Fuzzy Hash: 5C01A7B5BC111966DB04EBA0DD51EFF77ACAF12360F140019B906672C2EA649E08E6B1

Function 00FA1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FA1CC8

Strings

ComboBox, xrefs: 00FA1C69
ListBox, xrefs: 00FA1C94

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 52a05a1cc86b03f60d96108e0523d00414f24dd1e240464c2ae51b835d8d5b46
Instruction ID: 7f26de14975ad76f7cb391e1f104bad50552ab36879eab2db5934e8ba299df99
Opcode Fuzzy Hash: 52a05a1cc86b03f60d96108e0523d00414f24dd1e240464c2ae51b835d8d5b46
Instruction Fuzzy Hash: A701DBF5B8111967DF04E7A4DE41AFF77E8AB12350F540015BC0177281EA649F08E6B1

Function 00FA1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FA1DD3

Strings

ComboBox, xrefs: 00FA1D75
ListBox, xrefs: 00FA1DA0

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6e5098ee53fa133dc067f4dfaebed667e363460f7e763cb6a38e0742d75a920
Instruction ID: 8a717fe9351c1af4afed735af008173e90f9f68a30bfe0655969acf207fc17bd
Opcode Fuzzy Hash: f6e5098ee53fa133dc067f4dfaebed667e363460f7e763cb6a38e0742d75a920
Instruction Fuzzy Hash: 3CF02DB1F5122966D704F7A4DC51FFF77B8BB03350F040919B822672C1DA645908A6A0

Function 00FC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC7493
_wcslen.LIBCMT ref: 00FC74B9

Strings

3, 3, 16, 1, xrefs: 00FC7483

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a36e930afb44a3518ccc8af864ff0eb7e0e3b78f3381e04ce3bf4273ab61d3ec
Instruction ID: 4139662d3c10d582cd10358620ed8d6820aec23864311858b6ddddd679364ffa
Opcode Fuzzy Hash: a36e930afb44a3518ccc8af864ff0eb7e0e3b78f3381e04ce3bf4273ab61d3ec
Instruction Fuzzy Hash: 9CE02B0264472150A235327A9DC3F7F668ADFC5760710182FF981C2266EA989D91B3A0

Function 00FA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FA0B23

Strings

Error allocating memory., xrefs: 00FA0B1C
AutoIt, xrefs: 00FA0B17

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3c1796cb818597e47c4f29da19f41308d0630ee85c802f6517492550de7c71db
Instruction ID: dc859632ecd3e1546785410070eeda7d911d82f87584a590524abb3a66d73a3d
Opcode Fuzzy Hash: 3c1796cb818597e47c4f29da19f41308d0630ee85c802f6517492550de7c71db
Instruction Fuzzy Hash: F7E0D83124430926D2143754BC03F897B958F06B61F10046BFB98955C38ED66454B6EA

Function 00F60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F60D71,?,?,?,00F4100A), ref: 00F5F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F4100A), ref: 00F60D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F4100A), ref: 00F60D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F60D7F

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ac3529a3d0686d770be90c81d12c04f095082f11fd8bfde80f0f362f9b77950e
Instruction ID: 797f72d78692eba4c7fcd944ff673ef840dcc576e3c4bba87ec3f66abf5200ab
Opcode Fuzzy Hash: ac3529a3d0686d770be90c81d12c04f095082f11fd8bfde80f0f362f9b77950e
Instruction Fuzzy Hash: CBE06D702003018BD3309FB8E8047427BE5AB04746F048A2EE882C6756DFB9E448EB91

Function 00FB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FB302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FB3044

Strings

aut, xrefs: 00FB3038

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3fee4758380c5905f716aecb2a16d044a21bf7050ca442e33ce0abf0b01d8c3a
Instruction ID: 0c84de8c25d52040d7f2433b778fd338bedc24f4d3332f4e22c30a575c52aacb
Opcode Fuzzy Hash: 3fee4758380c5905f716aecb2a16d044a21bf7050ca442e33ce0abf0b01d8c3a
Instruction Fuzzy Hash: D3D05E725013286BDA20A7A5AC0EFCB3B6CDB05761F0002A2B695D6091DAB09984CAE0

Function 00F9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F9D220

Strings

%.3d, xrefs: 00F9D22B
X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dfb9e0e09aec5f9e2aa4a38fcc5a8b4cb2710fc71dd152aa5e3a41254ca40768
Instruction ID: 39217a97fbfb504fbad1abeb6071fc9cecca4aadfc1a16f3cc6ef68f52376d41
Opcode Fuzzy Hash: dfb9e0e09aec5f9e2aa4a38fcc5a8b4cb2710fc71dd152aa5e3a41254ca40768
Instruction Fuzzy Hash: 96D01262805109E9EF9097E0CC45AB9B37CAB58302F708452FE46D1040D628D50CB761

Function 00FD2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD236C
PostMessageW.USER32(00000000), ref: 00FD2373

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Strings

Shell_TrayWnd, xrefs: 00FD2365

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c0c5ea0ab3711434364ac77209f02926ab26f589d25aa6ad3ae80743841ac0fb
Instruction ID: 84a2c71c895f61b7551ff2ca5d040f30c702a5b6dc4c17d44246cebd3a19697f
Opcode Fuzzy Hash: c0c5ea0ab3711434364ac77209f02926ab26f589d25aa6ad3ae80743841ac0fb
Instruction Fuzzy Hash: 57D0A9323823107AEA64A330AC0FFC6761AAB04B00F0009067249AA1D0C9A0A800DA84

Function 00FD2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD233F

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Strings

Shell_TrayWnd, xrefs: 00FD2325

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 375b38f779c1b4ab15819f9160a34b267b719f0294d13d34b5233b480af75a60
Instruction ID: fd9e402f0985b9e8a193fab477fec8fd305b7d7b2d166c1b540e9fa573e4fffd
Opcode Fuzzy Hash: 375b38f779c1b4ab15819f9160a34b267b719f0294d13d34b5233b480af75a60
Instruction Fuzzy Hash: AAD02232381310B7EA64B330EC0FFC77B1AAB00B00F0009077349AA1D0C9F0A800DA80

Function 00F7BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F7BE93
GetLastError.KERNEL32 ref: 00F7BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7BEFC

Memory Dump Source

Source File: 00000000.00000002.1821729988.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1821704733.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821829043.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821898063.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821929379.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 53624437620965050912355c715a139342a3f17ff5afa2e5b0d0265afe989967
Instruction ID: da1d9c4d5d6e29afcda7e028196763bd3f064e28420e45f65e2b2d48ec2503bd
Opcode Fuzzy Hash: 53624437620965050912355c715a139342a3f17ff5afa2e5b0d0265afe989967
Instruction Fuzzy Hash: F541E835A05216AFCF218FA4CC54BEA7BA59F43720F14816BF95D972A1DB308C00EB62

Analysis Process: firefox.exePID: 7304, Parent PID: 7736COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000020C11DD58B7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000020C11DD58DC

Memory Dump Source

Source File: 00000010.00000002.3019297296.0000020C11DD1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000020C11DD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_20c11dd1000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d9d5a31d5643b08b1e31eabad482829a6449e6c5d9634ec843b00a3b707c460b
Instruction ID: b0cf8ce55e97730b72aac18850773f16c71a74672b16b831f3221574f3da2a72
Opcode Fuzzy Hash: d9d5a31d5643b08b1e31eabad482829a6449e6c5d9634ec843b00a3b707c460b
Instruction Fuzzy Hash: 84A3D771624B488BDB2EEF28DC856A9B7D5FB55300F14432EDD4BC7292DE34E9428B81

Function 0000020C11DDDA06 Relevance: .5, Instructions: 547
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3019297296.0000020C11DDD000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000020C11DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_20c11ddd000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd9f4b42d26cde6787c208c0cadc1e2cdd8fdf69ae2be3afdb9f30e8a50c6e2
Instruction ID: 2cd394977264ec78219b002300cfcc47264342b418c53ef539297b07b81d6a7b
Opcode Fuzzy Hash: 4dd9f4b42d26cde6787c208c0cadc1e2cdd8fdf69ae2be3afdb9f30e8a50c6e2
Instruction Fuzzy Hash: 2B21847150CB894FDB46DF28D884B967BE0FB5A310F1406AFE0D9C7292D674D949C782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1984811129.00000298873B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962595375.000002988F974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963508678.000002988F5C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963508678.000002988F5C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960119629.0000029891A17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963508678.000002988F5B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962595375.000002988F974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971597638.00000298878D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1987843430.000002988F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964264894.000002988F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854363427.000002988F4F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1987843430.000002988F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964264894.000002988F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854363427.000002988F4F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000000D.00000003.1985458304.00000298FFA77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963508678.000002988F5C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963508678.000002988F5C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854585762.000002988E287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3015225093.0000020C1180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3015225093.0000020C1180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3015225093.0000020C1180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014895067.000001F7FF40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1979365336.000002988E258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962595375.000002988F974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971597638.00000298878D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1971597638.00000298878B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49859 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2601dfeb-0752-4fcc-90d7-32c92a6d0e47.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2601dfeb-0752-4fcc-90d7-32c92a6d0e47.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre