Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543309
MD5:	e019cbb1029010358e34b47bcd26f96e
SHA1:	91bfc19f92bb68ebb2cb73b25a9beb3876e348e8
SHA256:	9b26e581c1073354a415a7abfac8555fab57f4212bd6640fffa00746b57bff81
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E019CBB1029010358E34B47BCD26F96E)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7656 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7720 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7784 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7840 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7904 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7940 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7956 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7180 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6e55d6-3507-42fc-a6ff-2bbf3adcec51} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e6ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -parentBuildID 20230927232528 -prefsHandle 4208 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d612c-979a-427a-99fc-91fa3c906465} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e7bc10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7820 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b8d9af-cf91-4aa6-9054-6272d401c2b9} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b642a8110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1775790580.00000000018C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7540	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0103EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0103EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0103ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0103EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0102AB9C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01059576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01059576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1716143245.0000000001082000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d0bedb02-d
Source: file.exe, 00000000.00000000.1716143245.0000000001082000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88f1234c-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9d05323d-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_81ebb771-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B466BB7 NtQuerySystemInformation,		16_2_000001E48B466BB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B483CF2 NtQuerySystemInformation,		16_2_000001E48B483CF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0102D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01021201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01021201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0102E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC8060	0_2_00FC8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01032046	0_2_01032046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01028298	0_2_01028298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFE4FF	0_2_00FFE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF676B	0_2_00FF676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01054873	0_2_01054873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCCAF0	0_2_00FCCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FECAA0	0_2_00FECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDCC39	0_2_00FDCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF6DD9	0_2_00FF6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC91C0	0_2_00FC91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDB119	0_2_00FDB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1394	0_2_00FE1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1706	0_2_00FE1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE781B	0_2_00FE781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE19B0	0_2_00FE19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD997D	0_2_00FD997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC7920	0_2_00FC7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7A4A	0_2_00FE7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7CA7	0_2_00FE7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1C77	0_2_00FE1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9EEE	0_2_00FF9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104BE44	0_2_0104BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1F32	0_2_00FE1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B466BB7	16_2_000001E48B466BB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B483CF2	16_2_000001E48B483CF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B483D32	16_2_000001E48B483D32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E48B48441C	16_2_000001E48B48441C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FE0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FDF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010337B5 GetLastError,FormatMessageW,

0_2_010337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010210BF AdjustTokenPrivileges,CloseHandle,		0_2_010210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0102D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0103648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FC42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1904559463.0000022B6E7A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1904559463.0000022B6E7CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1941584709.0000022B63DDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count + 1 WHERE id = NEW.place_id;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6e55d6-3507-42fc-a6ff-2bbf3adcec51} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e6ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -parentBuildID 20230927232528 -prefsHandle 4208 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d612c-979a-427a-99fc-91fa3c906465} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e7bc10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b8d9af-cf91-4aa6-9054-6272d401c2b9} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b642a8110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6e55d6-3507-42fc-a6ff-2bbf3adcec51} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e6ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -parentBuildID 20230927232528 -prefsHandle 4208 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d612c-979a-427a-99fc-91fa3c906465} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e7bc10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b8d9af-cf91-4aa6-9054-6272d401c2b9} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b642a8110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1841261446.0000022B605C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000D.00000003.1842574771.0000022B605CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1841261446.0000022B605C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1839125036.0000022B6EE03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000D.00000003.1842574771.0000022B605CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1839125036.0000022B6EE03000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0A76 push ecx; ret

0_2_00FE0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FDF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01051C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01051C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94806

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001E48B466BB7 rdtsc

16_2_000001E48B466BB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0102DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0103698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010368EE FindFirstFileW,FindClose,	0_2_010368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0102D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0102D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01039642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01039642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01039B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01039B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01035C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01035C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: firefox.exe, 0000000F.00000002.2978032745.00000266A21DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`e
Source: firefox.exe, 00000010.00000002.2977675494.000001E48AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000010.00000002.2983239101.000001E48B4C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllve
Source: firefox.exe, 0000000F.00000002.2978032745.00000266A2205000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2983239101.000001E48B4C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2981902428.00000225418A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2977492125.000002254140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2982465008.00000266A261D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2983156124.00000266A2708000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2978032745.00000266A2205000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2983239101.000001E48B4C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.2983239101.000001E48B4C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001E48B466BB7 rdtsc

16_2_000001E48B466BB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103EAA2 BlockInput,

0_2_0103EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FF2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00FE4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01020B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01020B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FF2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE09D5 SetUnhandledExceptionFilter,	0_2_00FE09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FE0C21

Source: C:\Users\user\Desktop\file.exe

0_2_01021201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01002BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01002BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102B226 SendInput,keybd_event,

0_2_0102B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102E355 mouse_event,

0_2_0102E355

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_01020B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01021663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01021663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1829062950.0000022B6EE03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0698 cpuid

0_2_00FE0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01038195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01038195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101D27A GetUserNameW,

0_2_0101D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FFBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1775790580.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1775790580.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01041204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01041806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.184.206	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.142	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1910945949.0000022B66633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956412555.0000022B66650000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2979165806.00000225417C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1918415300.0000022B6ED8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1957855307.0000022B656B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904559463.0000022B6E7A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919426364.0000022B6E7A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936168112.0000022B656B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2979854996.00000266A25C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982081312.0000022541A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2979854996.00000266A2572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AE86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2979165806.000002254178F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1972476538.0000022B63996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1798836448.0000022B64967000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1945409428.0000022B66694000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1906987383.0000022B6B011000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://screenshots.firefox.com	firefox.exe, 0000000D.00000003.1944423708.0000022B5EFAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1923455205.0000022B65280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1758328868.0000022B62B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757729582.0000022B62B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758536201.0000022B62B5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757528463.0000022B62900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758728723.0000022B62B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1963789400.0000022B64795000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933486824.0000022B64795000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923113951.0000022B652E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931027776.0000022B652E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942303173.0000022B637F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1908686074.0000022B6AB4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798836448.0000022B64967000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1908686074.0000022B6ABB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962141174.0000022B6ABB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1906987383.0000022B6B011000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758536201.0000022B62B5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757528463.0000022B62900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959221543.0000022B65291000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758728723.0000022B62B7B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1956486286.0000022B66633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910945949.0000022B66633000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1758328868.0000022B62B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757729582.0000022B62B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758536201.0000022B62B5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757528463.0000022B62900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758728723.0000022B62B7B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1937516154.0000022B6447C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1941584709.0000022B63DE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1972476538.0000022B63996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2979854996.00000266A25C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982081312.0000022541A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1919617969.0000022B6CB62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1908049781.0000022B6AD51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927290159.0000022B6B04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927290159.0000022B6B053000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1910898945.0000022B66679000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1908686074.0000022B6ABCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954583903.0000022B6ABCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2979854996.00000266A25C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982081312.0000022541A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1965194376.0000022B646E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000D.00000003.1902119779.0000022B5EC7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1539075https://bugzilla.mozilla.org/show_bug.cgi?id=161	firefox.exe, 0000000D.00000003.1798836448.0000022B64967000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2979165806.000002254170C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1817621384.0000022B6351E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1919617969.0000022B6CB1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953097564.0000022B6CB57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947116265.0000022B6CB1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1954465197.0000022B6AD51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2979165806.00000225417C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1817621384.0000022B6351E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1863187245.0000022B6417E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869629803.0000022B6417E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1947116265.0000022B6CB1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1923455205.0000022B65280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1908686074.0000022B6ABCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954583903.0000022B6ABCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.2979165806.0000022541713000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1913514243.0000022B653DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.2978657916.000001E48AE86000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1908686074.0000022B6AB4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1972818197.0000022B63970000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1960643545.0000022B64F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816400500.0000022B635C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970912385.0000022B661E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911904602.0000022B66156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957855307.0000022B65630000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863187245.0000022B6415F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889127549.0000022B634C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870838865.0000022B651D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923917510.0000022B64191000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885383052.0000022B655B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889127549.0000022B63483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911724697.0000022B66179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885383052.0000022B6559C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866236940.0000022B6316F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913337517.0000022B6573F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864025745.0000022B63483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909865031.0000022B6AB1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887240589.0000022B655B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888516391.0000022B635B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793923468.0000022B6AC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863187245.0000022B64191000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1956486286.0000022B66633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910945949.0000022B66633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile.services.mozilla.comP5	firefox.exe, 0000000D.00000003.1954256430.0000022B6AD9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934653488.0000022B6AD51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921285593.0000022B6AD51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908049781.0000022B6AD51000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1956486286.0000022B66633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910945949.0000022B66633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956754119.0000022B663F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1954583903.0000022B6AB82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929388753.0000022B6AB8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908686074.0000022B6AB8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935039661.0000022B6AB8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1913069836.0000022B65798000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910781479.0000022B66681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965194376.0000022B646E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921867246.0000022B66681000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1913069836.0000022B65798000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910781479.0000022B66681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965194376.0000022B646E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921867246.0000022B66681000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1972818197.0000022B63970000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1795926965.0000022B6B09F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948021728.0000022B6B0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961727854.0000022B6B0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927290159.0000022B6B0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906987383.0000022B6B0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798836448.0000022B64967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970043950.0000022B6B0A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1962141174.0000022B6ABBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1906987383.0000022B6B03F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1894336157.0000022B61023000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763560362.0000022B61033000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1931451621.0000022B65221000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1909908334.0000022B6AAA2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1817661884.0000022B63532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817621384.0000022B6351E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1902119779.0000022B5EC7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894336157.0000022B61023000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763560362.0000022B61033000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1919617969.0000022B6CB1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953097564.0000022B6CB57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947116265.0000022B6CB1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2979854996.00000266A25C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AEE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982081312.0000022541A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1965027751.0000022B646F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2979008742.00000266A2250000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2982640519.000001E48B400000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2978727377.00000225415C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1798836448.0000022B64967000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
142.250.184.206	youtube.com	United States	15169	GOOGLEUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543309
Start date and time:	2024-10-27 16:09:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@65/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.10.231.25, 52.10.6.163, 44.237.129.44, 142.250.185.142, 2.22.61.59, 2.22.61.56, 142.250.185.206, 142.250.185.234, 142.250.185.138
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, ocsp.edge.digicert.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:10:12	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
services.addons.mozilla.org	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	R40XD2LfcZ.exe	Get hash	malicious	Clipboard Hijacker	Browse	34.175.139.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	48.179.8.151
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	R40XD2LfcZ.exe	Get hash	malicious	Clipboard Hijacker	Browse	34.175.139.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	48.179.8.151
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8722b5ba-2626-408a-8bee-fba4cfc006cd.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1808620517145645
Encrypted:	false
SSDEEP:	192:M2jMXc+xcbhbVbTbfbRbObtbyEl7ngroJA6WnSrDtTUd/SkDrU:1YVcNhnzFSJArbBnSrDhUd/m
MD5:	B3551225AF2EC0A4D4B9C9441B90E64A
SHA1:	6A3D891953C1B192F8A4D730340E5B3010FFDF36
SHA-256:	60987E067F1938351921DC670664BC630A8F3B439C052AD823B7999D04BE2CA0
SHA-512:	B9D9943335CBB693D23A23B4CC5F7ABF33378DE5DAAD94216F5E80A834748407C60A981FB0774F76290F38070FC2E4FA71277A4F5529FAA79950AB6FBDE48E95
Malicious:	false
Preview:	{"type":"uninstall","id":"8722b5ba-2626-408a-8bee-fba4cfc006cd","creationDate":"2024-10-27T17:07:08.096Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8722b5ba-2626-408a-8bee-fba4cfc006cd.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1808620517145645
Encrypted:	false
SSDEEP:	192:M2jMXc+xcbhbVbTbfbRbObtbyEl7ngroJA6WnSrDtTUd/SkDrU:1YVcNhnzFSJArbBnSrDhUd/m
MD5:	B3551225AF2EC0A4D4B9C9441B90E64A
SHA1:	6A3D891953C1B192F8A4D730340E5B3010FFDF36
SHA-256:	60987E067F1938351921DC670664BC630A8F3B439C052AD823B7999D04BE2CA0
SHA-512:	B9D9943335CBB693D23A23B4CC5F7ABF33378DE5DAAD94216F5E80A834748407C60A981FB0774F76290F38070FC2E4FA71277A4F5529FAA79950AB6FBDE48E95
Malicious:	false
Preview:	{"type":"uninstall","id":"8722b5ba-2626-408a-8bee-fba4cfc006cd","creationDate":"2024-10-27T17:07:08.096Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927624308367528
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLn/P8P:8S+OBIUjOdwiOdYVjjwLn/P8P
MD5:	81F8FD22B218FD9069546C0514B84F3F
SHA1:	206DBDD6F3ECCAE9AB3131F161EC6F7B6B14FCEA
SHA-256:	14AB0672ADB35BAEFB2BDC5DAC0222D21CF16BD7335AB0B35CECC9EE4831364F
SHA-512:	915C2C2D977B31D2FCB8FF4F9F06E32C5D4FD5D132762FFEEA0AE771DEBA7FCC56EBF2459BB14FA3AC0AB6699B082557880E10003F7D257EC45F5024ED67A0C3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927624308367528
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLn/P8P:8S+OBIUjOdwiOdYVjjwLn/P8P
MD5:	81F8FD22B218FD9069546C0514B84F3F
SHA1:	206DBDD6F3ECCAE9AB3131F161EC6F7B6B14FCEA
SHA-256:	14AB0672ADB35BAEFB2BDC5DAC0222D21CF16BD7335AB0B35CECC9EE4831364F
SHA-512:	915C2C2D977B31D2FCB8FF4F9F06E32C5D4FD5D132762FFEEA0AE771DEBA7FCC56EBF2459BB14FA3AC0AB6699B082557880E10003F7D257EC45F5024ED67A0C3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329954544034102
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiDw:DLhesh7Owd4+jiD
MD5:	611B561209D80D560148CED8C46A9E15
SHA1:	65A8D3F186F4274AB5AAFCC348BDC6F71EFC0529
SHA-256:	D666FB71D813084123F4F703B396996A66CB2865DAE014FE6A8EB96D6FAC2951
SHA-512:	EC4EA3400BF1D8BD8ACA07721C82DACD314A8039BFEE88F0D45B5AE8947617B3D6F15D535E501EC6C822AF4A0554FD18D4E6F610E15463749B13044131C30C08
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03413860861779078
Encrypted:	false
SSDEEP:	3:GtlstFDiE/MF0FZklstFDiE/MF0FZhlJ89//alEl:GtWtg0MWFZkWtg0MWFZhlJ89XuM
MD5:	F1D236FEF17AD46A7346D8972CEC9187
SHA1:	562738D3A602C24F1BC071EC978CBC0CA6049FC0
SHA-256:	F1CB1BD5495A5BB5BFB19233A3EC9462039D10224DA226535EFA75DD2909B1F4
SHA-512:	60D2CF14B018D99EECBE3CF2613652E76EAD8E1E3C89AA68CC39E1712862C7767F6BBD7C906CE07319D0E026597055277218BCFF3219EBEAE676EB05F127693F
Malicious:	false
Preview:	..-.....................T3..Ku.............G.iu..-.....................T3..Ku.............G.iu........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03918880224852738
Encrypted:	false
SSDEEP:	3:Ol1sh/qpGS7el/o/fMWA737l8rEXsxdwhml8XW3R2:KK0H1kLl8dMhm93w
MD5:	7E9E19FBA413CFC44AB8A16DB75DE674
SHA1:	61C36035DF57BD008358AB4FC72AEE7308A8C5E1
SHA-256:	19829759295B0E5026BFD95D10AE3D5C6530BB95564E074A3BE9FA8EA80EDBCE
SHA-512:	C4380FA5C6BAAF1EA84FF2AD55CC7D309B7FCDCEB6D3F193B25826DE80AADE730958EF60BDF725A04E262107904347B2F4705EAD236344A7B7677415FA1FAA97
Malicious:	false
Preview:	7....-.................... .^..................3T..uK................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495142194232298
Encrypted:	false
SSDEEP:	192:5naRtLYbBp62hj4qyaaXt6KvQN/nq5RfGNBw8deSl:ke8q/8gicwZ0
MD5:	DB432C08E5248013BC8D0DD9C6F2EB97
SHA1:	2386E70AC35E1B715C24D5DE4EDBE8A037DB4478
SHA-256:	6AD733D8744E6CA8BF8CBB4118A9EF3E1F393898B2F2D2B5B3D88F6DAEE121F5
SHA-512:	56E99B3EA8E3702F89183BA7E668490E5530E4020843A526D27FEB49F01129A3B0162E57591EE9944F49C1AB985CA123F25CF4B9E58135281638AFAFB9066A97
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730048798);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730048798);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730048798);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173004

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495142194232298
Encrypted:	false
SSDEEP:	192:5naRtLYbBp62hj4qyaaXt6KvQN/nq5RfGNBw8deSl:ke8q/8gicwZ0
MD5:	DB432C08E5248013BC8D0DD9C6F2EB97
SHA1:	2386E70AC35E1B715C24D5DE4EDBE8A037DB4478
SHA-256:	6AD733D8744E6CA8BF8CBB4118A9EF3E1F393898B2F2D2B5B3D88F6DAEE121F5
SHA-512:	56E99B3EA8E3702F89183BA7E668490E5530E4020843A526D27FEB49F01129A3B0162E57591EE9944F49C1AB985CA123F25CF4B9E58135281638AFAFB9066A97
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730048798);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730048798);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730048798);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173004

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\b68abcef-09b3-4be7-9a66-c579c60be5da (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.963669526307857
Encrypted:	false
SSDEEP:	12:YZFgfTpJJIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YATTJSlCOlZGV1AQIWZcy6Z2d
MD5:	E81240EB5B20667475A6050BD9B80D39
SHA1:	6A8BEFB8C8C05765C3B0F4ECA549200C15AD21D2
SHA-256:	9DE11A40C59F898E6CFCE8B670C5028071F98FB8D9AD10B4E944FD9B1A495966
SHA-512:	7FACD73EDC401D72EB7CCFBD61373E6478DA90485A03164B64E884ECE247219403E777F41820BB26B4F047CFBBA3728943B41915AD109C441F8BE53D86EA2F01
Malicious:	false
Preview:	{"type":"health","id":"b68abcef-09b3-4be7-9a66-c579c60be5da","creationDate":"2024-10-27T17:07:08.768Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\b68abcef-09b3-4be7-9a66-c579c60be5da.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.963669526307857
Encrypted:	false
SSDEEP:	12:YZFgfTpJJIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YATTJSlCOlZGV1AQIWZcy6Z2d
MD5:	E81240EB5B20667475A6050BD9B80D39
SHA1:	6A8BEFB8C8C05765C3B0F4ECA549200C15AD21D2
SHA-256:	9DE11A40C59F898E6CFCE8B670C5028071F98FB8D9AD10B4E944FD9B1A495966
SHA-512:	7FACD73EDC401D72EB7CCFBD61373E6478DA90485A03164B64E884ECE247219403E777F41820BB26B4F047CFBBA3728943B41915AD109C441F8BE53D86EA2F01
Malicious:	false
Preview:	{"type":"health","id":"b68abcef-09b3-4be7-9a66-c579c60be5da","creationDate":"2024-10-27T17:07:08.768Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.332113134393519
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS33HLXnIgn/pnxQwRlszT5sKtD3eHVQj6TKamhujJlOsIomNVr0aDO:GUpOxa5nR6J3eHTK4JlIquR4
MD5:	BA9E183E49BC8B09B27242C1280F264A
SHA1:	901AF7B06957E1E39614AFD605C913467A372ADB
SHA-256:	FBDECC147A3F9D6C06BC7DC0DCEF5E7817A64B3663C6053CEC1E9AEF2C286FE6
SHA-512:	5D73099E0F69A37B04B001766968EE65118C99ABA70EC9E53918A015ED9D2F8A30A0A82365F03A51EA5D7161C295899356E40F47D4E18800AA492204211BA7E6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab627912-412f-474d-8ca3-062fc7e9b4f8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730048802267,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767645...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....772843,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.332113134393519
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS33HLXnIgn/pnxQwRlszT5sKtD3eHVQj6TKamhujJlOsIomNVr0aDO:GUpOxa5nR6J3eHTK4JlIquR4
MD5:	BA9E183E49BC8B09B27242C1280F264A
SHA1:	901AF7B06957E1E39614AFD605C913467A372ADB
SHA-256:	FBDECC147A3F9D6C06BC7DC0DCEF5E7817A64B3663C6053CEC1E9AEF2C286FE6
SHA-512:	5D73099E0F69A37B04B001766968EE65118C99ABA70EC9E53918A015ED9D2F8A30A0A82365F03A51EA5D7161C295899356E40F47D4E18800AA492204211BA7E6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab627912-412f-474d-8ca3-062fc7e9b4f8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730048802267,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767645...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....772843,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.332113134393519
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS33HLXnIgn/pnxQwRlszT5sKtD3eHVQj6TKamhujJlOsIomNVr0aDO:GUpOxa5nR6J3eHTK4JlIquR4
MD5:	BA9E183E49BC8B09B27242C1280F264A
SHA1:	901AF7B06957E1E39614AFD605C913467A372ADB
SHA-256:	FBDECC147A3F9D6C06BC7DC0DCEF5E7817A64B3663C6053CEC1E9AEF2C286FE6
SHA-512:	5D73099E0F69A37B04B001766968EE65118C99ABA70EC9E53918A015ED9D2F8A30A0A82365F03A51EA5D7161C295899356E40F47D4E18800AA492204211BA7E6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab627912-412f-474d-8ca3-062fc7e9b4f8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730048802267,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767645...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....772843,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034441295687816
Encrypted:	false
SSDEEP:	48:YrSAYrz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	CDDECCCF8F5586BB05DBE3CDF6F279A5
SHA1:	64693A947D23D2B6F0D505CDDD3B3846639431B8
SHA-256:	CB583BA49C9D4CDD1AA2F1A4FB14A1AD2747A64352189E382E8B71A4D4600D05
SHA-512:	6AC53F1588ADB47151B15DFF2E00A80D317287C71DCA9DEAE124C0014B3811F03447D25A43B5A0590B02927B3FF158AF0F5918BBA6869F75277874C4759B5FDA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T17:06:18.357Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034441295687816
Encrypted:	false
SSDEEP:	48:YrSAYrz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	CDDECCCF8F5586BB05DBE3CDF6F279A5
SHA1:	64693A947D23D2B6F0D505CDDD3B3846639431B8
SHA-256:	CB583BA49C9D4CDD1AA2F1A4FB14A1AD2747A64352189E382E8B71A4D4600D05
SHA-512:	6AC53F1588ADB47151B15DFF2E00A80D317287C71DCA9DEAE124C0014B3811F03447D25A43B5A0590B02927B3FF158AF0F5918BBA6869F75277874C4759B5FDA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T17:06:18.357Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584689534072387
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	e019cbb1029010358e34b47bcd26f96e
SHA1:	91bfc19f92bb68ebb2cb73b25a9beb3876e348e8
SHA256:	9b26e581c1073354a415a7abfac8555fab57f4212bd6640fffa00746b57bff81
SHA512:	8296822b78cfc89eb4b09d33f102abb367dff4d8d19a2c22ef2810e3f142ef25aec52794c0f51f5bda8bea2f7b7e7f7e55093ee4d66a418f07e4c34b631d2d05
SSDEEP:	12288:gqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ta:gqDEvCTbMWu7rQYlBQcBiT6rprG8aba
TLSH:	43159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671E573D [Sun Oct 27 15:07:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE0CCF0C343h
jmp 00007FE0CCF0BC4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE0CCF0BE2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE0CCF0BDFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE0CCF0E9EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE0CCF0EA38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE0CCF0EA21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	b789ef8521e34d72d928aa42c6bc8719	False	0.3156398338607595	data	5.373629157632782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 16:10:09.241811991 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.241848946 CET	443	49743	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:09.246721983 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.250478983 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.250497103 CET	443	49743	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:09.886742115 CET	443	49743	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:09.889419079 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.906876087 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.906903028 CET	443	49743	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:09.906979084 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:09.907468081 CET	443	49743	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:09.917453051 CET	49743	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:11.210915089 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.210957050 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:11.212227106 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.213490009 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.213501930 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:11.438107014 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:11.439336061 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.439359903 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:11.446978092 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.448240995 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:11.448257923 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:12.291843891 CET	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:12.292434931 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:12.294925928 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:12.296628952 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.296720982 CET	443	49749	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.297019005 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.297046900 CET	443	49750	34.160.144.191	192.168.2.4
Oct 27, 2024 16:10:12.297089100 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.297733068 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.299020052 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.299061060 CET	443	49749	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.299420118 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.299443007 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.299498081 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.299514055 CET	443	49750	34.160.144.191	192.168.2.4
Oct 27, 2024 16:10:12.299695969 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.299767017 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.299865961 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.300220013 CET	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:12.300831079 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.301409006 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.301434994 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.301569939 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.301606894 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.306826115 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:12.306902885 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:12.307836056 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:12.307946920 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:12.311728001 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:12.311737061 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:12.311873913 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:12.312020063 CET	443	49745	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:12.312138081 CET	49745	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:12.887749910 CET	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:12.927433968 CET	443	49750	34.160.144.191	192.168.2.4
Oct 27, 2024 16:10:12.927598953 CET	443	49749	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.929699898 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.929703951 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.934082031 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.936278105 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.936288118 CET	443	49750	34.160.144.191	192.168.2.4
Oct 27, 2024 16:10:12.936676025 CET	443	49750	34.160.144.191	192.168.2.4
Oct 27, 2024 16:10:12.937216043 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.937546968 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:12.939378023 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.939852953 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.939966917 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.940110922 CET	49750	443	192.168.2.4	34.160.144.191
Oct 27, 2024 16:10:12.940123081 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.940413952 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.942734957 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.942756891 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.943162918 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.945732117 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.945770025 CET	443	49749	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.945811033 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.946196079 CET	443	49749	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.946363926 CET	49749	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.948122025 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.948180914 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.948323011 CET	443	49752	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:12.948388100 CET	49752	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:12.949090004 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.949105024 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.949143887 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:12.949372053 CET	443	49751	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:12.949426889 CET	49751	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:13.029706955 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.035888910 CET	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:13.037296057 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.042694092 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:13.043267012 CET	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.043304920 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.043607950 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.049315929 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:13.134776115 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.134810925 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.135026932 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.137320042 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.138778925 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.141859055 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.141872883 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.142030954 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.142174959 CET	443	49747	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.142255068 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.142302036 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.142452955 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.142532110 CET	49747	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.147526026 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:13.147583008 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:13.572962046 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:13.572990894 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:13.574817896 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.577526093 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:13.579004049 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:13.579015970 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:13.580113888 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:13.583059072 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.583652973 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:13.589008093 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:13.764764071 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:13.764831066 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:13.771682024 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:13.773015022 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:13.773046970 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:14.663053036 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.664155006 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.664227009 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.665417910 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.665630102 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.665846109 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.666522980 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.667399883 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.667644978 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.670495033 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.670495033 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.670578003 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.671325922 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:14.671370029 CET	443	49760	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:14.671678066 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:14.672889948 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:14.672909975 CET	443	49760	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:14.673789024 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:14.673938036 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.674024105 CET	443	49761	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:14.674237013 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.674324036 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:14.674411058 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:14.674443007 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.674527884 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.675024033 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:14.676661015 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.676701069 CET	443	49761	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:14.677937031 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:14.677970886 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:14.678586960 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:14.678853989 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:14.678901911 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:14.678945065 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:14.679012060 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.681495905 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:14.693545103 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.693670034 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:14.693705082 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:14.698864937 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.701781034 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:14.701822042 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:14.701854944 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:14.702353954 CET	443	49755	142.250.184.206	192.168.2.4
Oct 27, 2024 16:10:14.702548981 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.702563047 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:14.702630043 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.702999115 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.703064919 CET	443	49764	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:14.703095913 CET	443	49756	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:14.708481073 CET	49755	443	192.168.2.4	142.250.184.206
Oct 27, 2024 16:10:14.708579063 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.709311008 CET	49756	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.709806919 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:14.709844112 CET	443	49764	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:14.773068905 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.778487921 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.823287964 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.866422892 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.899622917 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.911003113 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:14.916318893 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:14.951069117 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.041265011 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.082709074 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.275144100 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:15.275161982 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:15.275234938 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:15.279755116 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:15.279788017 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:15.279840946 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:15.280141115 CET	443	49759	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:15.280438900 CET	49759	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:15.282674074 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.287992001 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.296708107 CET	443	49761	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.296797037 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.297343969 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.297436953 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.298599005 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:15.298687935 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:15.300781965 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:15.300803900 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:15.301136971 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:15.306197882 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.306250095 CET	443	49761	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.306283951 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.306493044 CET	443	49761	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.306502104 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.306528091 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.306545973 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.306770086 CET	443	49762	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:15.307292938 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:15.307357073 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:15.307374001 CET	443	49760	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.307482004 CET	443	49763	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:15.308610916 CET	49761	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.308621883 CET	49762	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:15.308643103 CET	49763	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:15.308753014 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.314690113 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.314717054 CET	443	49760	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.314773083 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.314976931 CET	443	49760	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.315030098 CET	49760	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.350954056 CET	443	49764	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:15.351041079 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:15.354617119 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:15.354646921 CET	443	49764	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:15.354698896 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:15.354880095 CET	443	49764	34.117.188.166	192.168.2.4
Oct 27, 2024 16:10:15.354978085 CET	49764	443	192.168.2.4	34.117.188.166
Oct 27, 2024 16:10:15.409038067 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.452498913 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.604633093 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.605696917 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.610071898 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.611022949 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.619647026 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.619725943 CET	443	49765	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.619852066 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.621174097 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.621217966 CET	443	49765	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.622473955 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.622570038 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.624279976 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.624309063 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.624571085 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.624782085 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.624905109 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.624943972 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.625016928 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.625040054 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.627435923 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.627509117 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.627933979 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.628068924 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.628102064 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.635101080 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.635188103 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.635674000 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.635828972 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:15.635863066 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:15.733591080 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.734673023 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.757575035 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.762964964 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.800328970 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:15.890646935 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:15.953991890 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:16.229197025 CET	443	49765	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.229279995 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.240039110 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.240123034 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.240585089 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.240736961 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.240777016 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.240788937 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.240940094 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.241121054 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.275039911 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.275090933 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.276124001 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.276767969 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.276844978 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.277811050 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.278673887 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.278733015 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.279616117 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.280791998 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.280829906 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.281598091 CET	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.288893938 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.288935900 CET	443	49765	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.289024115 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.289195061 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.289328098 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.289369106 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.289416075 CET	443	49765	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.289583921 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.289654970 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.289768934 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.291441917 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291517019 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291582108 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291632891 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291672945 CET	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291688919 CET	49765	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291703939 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291728020 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:16.291903973 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:16.291951895 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.344399929 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:18.349977016 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:18.351778030 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.351881027 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:18.352336884 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.353641987 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.353673935 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:18.471740007 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:18.512809038 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:18.974890947 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:18.975102901 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.979532957 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.979590893 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:18.979625940 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:18.979875088 CET	443	49770	34.120.208.123	192.168.2.4
Oct 27, 2024 16:10:18.979949951 CET	49770	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:10:22.673546076 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:22.679208040 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:22.804265022 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:22.847155094 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:23.730714083 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:23.732048988 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:23.732112885 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:23.734178066 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:23.735591888 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:23.735625982 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:23.736298084 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:23.859225035 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:23.903459072 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:24.342475891 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:24.342567921 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:24.484606981 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:24.489099026 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:24.489121914 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:24.489165068 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:24.489613056 CET	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:24.490230083 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:24.491381884 CET	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:24.625457048 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:24.660609961 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:24.666268110 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:24.667969942 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:24.787761927 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:24.837302923 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:25.566106081 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:25.571573019 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:25.696259975 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:25.755472898 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:34.685609102 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:34.685693979 CET	443	49773	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:34.685910940 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:34.687212944 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:34.687262058 CET	443	49773	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:34.797017097 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:34.802542925 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:35.296663046 CET	443	49773	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:35.298506021 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:35.302666903 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:35.302695036 CET	443	49773	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:35.302762985 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:35.303073883 CET	443	49773	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:35.305999041 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:35.311300993 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:35.320658922 CET	49773	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:35.432884932 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:35.436772108 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:35.442094088 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:35.483393908 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:35.573174000 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:35.621613026 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:37.790584087 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:37.790622950 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:37.798995972 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:37.799112082 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:37.799120903 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:37.807128906 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:37.807173014 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:37.807907104 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:37.808062077 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:37.808080912 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:37.809113979 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:37.809168100 CET	443	49776	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:37.810115099 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:37.828025103 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:37.828058958 CET	443	49776	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:37.828469038 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:37.828550100 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:37.828620911 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:37.828645945 CET	443	49778	35.201.103.21	192.168.2.4
Oct 27, 2024 16:10:37.832451105 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:37.832458019 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:37.832590103 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:37.832623005 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:37.834140062 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:37.834152937 CET	443	49778	35.201.103.21	192.168.2.4
Oct 27, 2024 16:10:38.414149046 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.414182901 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.414242983 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.416954994 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.417046070 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.417222023 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.417228937 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.417974949 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.419725895 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.419737101 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.419950962 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.422846079 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.422930002 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.423029900 CET	443	49774	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.423129082 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.423229933 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.423270941 CET	443	49775	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.423310995 CET	49774	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.423362017 CET	49775	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.426491022 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:38.431870937 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:38.466137886 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:38.466269970 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:38.466382027 CET	443	49778	35.201.103.21	192.168.2.4
Oct 27, 2024 16:10:38.466459036 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:38.468871117 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:38.468893051 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:38.469295025 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:38.473143101 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:38.473212957 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:38.473351002 CET	443	49777	151.101.1.91	192.168.2.4
Oct 27, 2024 16:10:38.473428965 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:38.473438978 CET	443	49778	35.201.103.21	192.168.2.4
Oct 27, 2024 16:10:38.473469019 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:38.473601103 CET	49777	443	192.168.2.4	151.101.1.91
Oct 27, 2024 16:10:38.473690987 CET	443	49778	35.201.103.21	192.168.2.4
Oct 27, 2024 16:10:38.473748922 CET	49778	443	192.168.2.4	35.201.103.21
Oct 27, 2024 16:10:38.476640940 CET	443	49776	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:38.476737022 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:38.480762005 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:38.480783939 CET	443	49776	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:38.480833054 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:38.481046915 CET	443	49776	35.190.72.216	192.168.2.4
Oct 27, 2024 16:10:38.481312037 CET	49776	443	192.168.2.4	35.190.72.216
Oct 27, 2024 16:10:38.483330965 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.483386040 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.483689070 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.483830929 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.483846903 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.485647917 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.485671997 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.487500906 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.487523079 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.489321947 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.489322901 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.489455938 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.489470959 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.489600897 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:38.489612103 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:38.493735075 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.493765116 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.493870974 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.494014978 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:38.494030952 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:38.553174019 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:38.558749914 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:38.564249992 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:38.606537104 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:38.688638926 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:38.744625092 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:39.099204063 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.099330902 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.102215052 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.102262974 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.102622986 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.104868889 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.104952097 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.105053902 CET	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.107999086 CET	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.109781027 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:39.115799904 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:39.122090101 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:39.122179985 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:39.123935938 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.125339985 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:39.125351906 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:39.125770092 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.126230955 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:39.127712011 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.128086090 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.128094912 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.128288984 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.128988981 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.131056070 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.131064892 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.131825924 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.133680105 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:39.133749962 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:39.134139061 CET	443	49782	34.149.100.209	192.168.2.4
Oct 27, 2024 16:10:39.134536982 CET	49782	443	192.168.2.4	34.149.100.209
Oct 27, 2024 16:10:39.135121107 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.135169983 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.135474920 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.135519028 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.135606050 CET	443	49781	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.135706902 CET	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 16:10:39.136558056 CET	49781	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.136578083 CET	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 16:10:39.236248016 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:39.238720894 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:39.244087934 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:39.277276039 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:39.368573904 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:39.430586100 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:49.237920046 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:49.243592024 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:49.369596004 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:49.375196934 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:55.576667070 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:55.576714993 CET	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:55.577146053 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:55.578362942 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:55.578381062 CET	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:56.193144083 CET	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:56.193227053 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:56.198085070 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:56.198092937 CET	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:56.198209047 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:56.198635101 CET	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 16:10:56.198695898 CET	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:10:56.200660944 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:56.206005096 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:56.327548981 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:56.330014944 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:56.335897923 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:56.376593113 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:10:56.460372925 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:10:56.514693022 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:06.342940092 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:06.349241972 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:06.474540949 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:06.480108023 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:08.092612028 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.092667103 CET	443	49847	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.094506025 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.094584942 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.094681025 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.094742060 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.094944954 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.094973087 CET	443	49847	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.095175028 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.095212936 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.098639965 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.098685980 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.098993063 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.099229097 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.099261045 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.703579903 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.711380005 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.711740017 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.715219975 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.715253115 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.716202021 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.721321106 CET	443	49847	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.721366882 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.721472979 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.721681118 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.721767902 CET	443	49849	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.721800089 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.721803904 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.722395897 CET	49849	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.724721909 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.724755049 CET	443	49847	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.725095987 CET	443	49847	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.725153923 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.727031946 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.729428053 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.729456902 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.729465961 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.729536057 CET	49847	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.730462074 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.732284069 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.732398033 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.732815981 CET	443	49848	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.733059883 CET	49848	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.758263111 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:08.763844013 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:08.788649082 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.788707018 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.788893938 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.788913965 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.789153099 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.789197922 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.790098906 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790255070 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790260077 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790260077 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790323019 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.790365934 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790378094 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.790394068 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.790409088 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.806420088 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.806458950 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.807677031 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.807821035 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:08.807848930 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:08.885839939 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:08.888809919 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:08.894315958 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:08.927719116 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:09.020380020 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:09.065788984 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:09.403819084 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.403914928 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.406435966 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.406465054 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.407233953 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.408469915 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.408560991 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.408874035 CET	443	49855	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.408982038 CET	49855	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.412214041 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:09.417607069 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:09.420902014 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.420989037 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.423695087 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.423718929 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.424196005 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.425057888 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.425156116 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.427356005 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.427365065 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.428236961 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.428713083 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.428787947 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.428890944 CET	443	49857	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.429044008 CET	49857	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.430727005 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.431514978 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.431580067 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.431926012 CET	443	49856	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.432037115 CET	49856	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.432136059 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.435000896 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.435008049 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.435228109 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.437488079 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.437566042 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.437609911 CET	443	49858	34.120.208.123	192.168.2.4
Oct 27, 2024 16:11:09.437693119 CET	49858	443	192.168.2.4	34.120.208.123
Oct 27, 2024 16:11:09.538470030 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:09.541306973 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:09.546664000 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:09.582734108 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:09.671364069 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:09.714277029 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:13.979650021 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:13.985052109 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:14.106161118 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:14.108611107 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:14.113934994 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:14.157390118 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:14.238343954 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:14.279818058 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:24.108716965 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:24.114188910 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:24.239192009 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:24.244880915 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:34.114670038 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:34.120052099 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:34.263501883 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:34.268835068 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:36.572366953 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:36.572457075 CET	443	50014	34.107.243.93	192.168.2.4
Oct 27, 2024 16:11:36.572997093 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:36.574470997 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:36.574505091 CET	443	50014	34.107.243.93	192.168.2.4
Oct 27, 2024 16:11:37.192280054 CET	443	50014	34.107.243.93	192.168.2.4
Oct 27, 2024 16:11:37.192370892 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:37.197180033 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:37.197223902 CET	443	50014	34.107.243.93	192.168.2.4
Oct 27, 2024 16:11:37.197304010 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:37.197444916 CET	443	50014	34.107.243.93	192.168.2.4
Oct 27, 2024 16:11:37.198122978 CET	50014	443	192.168.2.4	34.107.243.93
Oct 27, 2024 16:11:37.200313091 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:37.205656052 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:37.327208042 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:37.330851078 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:37.336421013 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:37.376838923 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:37.461119890 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:37.508569002 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:47.335458994 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:47.341106892 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:47.473521948 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:47.479089022 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:57.364501953 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:57.370246887 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:11:57.480444908 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:11:57.485934973 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 16:12:07.383018017 CET	49757	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:12:07.388598919 CET	80	49757	34.107.221.82	192.168.2.4
Oct 27, 2024 16:12:07.497078896 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 16:12:07.502777100 CET	80	49754	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 16:10:09.242130995 CET	52409	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:09.250824928 CET	53	52409	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:09.256747007 CET	50144	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:09.264295101 CET	53	50144	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.196909904 CET	54926	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.197293997 CET	49300	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.204685926 CET	53	54926	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.211500883 CET	50804	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.218856096 CET	63000	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.219053984 CET	53	50804	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.219614029 CET	65436	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.226424932 CET	53	63000	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.228003025 CET	53	65436	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.230272055 CET	59139	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.244599104 CET	53	59139	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:11.615506887 CET	61801	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.626207113 CET	51139	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:11.925637960 CET	51743	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.115525007 CET	57456	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.293298960 CET	53	61801	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.293416023 CET	53	51139	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.294785023 CET	53	57456	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.300622940 CET	62348	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.300762892 CET	55514	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.301477909 CET	54424	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.307955980 CET	53	62348	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.308621883 CET	53	54424	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.308906078 CET	53	55514	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.311196089 CET	54653	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.311623096 CET	55928	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.312072039 CET	53637	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.318439007 CET	53	54653	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.319252014 CET	53666	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.319396019 CET	53	55928	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.319411993 CET	53	53637	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.327178955 CET	53	53666	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.327877998 CET	57629	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.335557938 CET	53	57629	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.650238037 CET	56616	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.682332039 CET	53	49362	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.966629982 CET	61387	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.966819048 CET	51261	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:12.974164963 CET	53	51261	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:12.974239111 CET	53	61387	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:13.574151993 CET	64169	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:13.581964970 CET	53	64169	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:13.585855007 CET	61874	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:13.598066092 CET	53	61874	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:13.601250887 CET	60247	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:13.614804983 CET	53	60247	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:13.939784050 CET	58042	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.490443945 CET	57027	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.669230938 CET	51172	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.669787884 CET	56311	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.670583010 CET	53	57027	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.670769930 CET	53	58042	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.678458929 CET	53	51172	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.678662062 CET	53	56311	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.691682100 CET	65138	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.691943884 CET	52669	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.691943884 CET	54431	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.699467897 CET	53	65138	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.699527979 CET	53	52669	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.704634905 CET	53	54431	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.709212065 CET	57195	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.709767103 CET	64731	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.710352898 CET	58139	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.717611074 CET	53	57195	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.717645884 CET	53	64731	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.718142033 CET	53	58139	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.730686903 CET	52105	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.735940933 CET	49924	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.736556053 CET	57723	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.738128901 CET	53	52105	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.743717909 CET	53	57723	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.743731976 CET	53	49924	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.748169899 CET	53395	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.754760981 CET	56492	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.755114079 CET	60628	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.756318092 CET	53	53395	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.757503033 CET	52748	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.762228012 CET	53	60628	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.762550116 CET	53	56492	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.762680054 CET	60564	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.763122082 CET	60981	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.764818907 CET	53	52748	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.765486956 CET	57177	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:14.769929886 CET	53	60564	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.770417929 CET	53	60981	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:14.772850037 CET	53	57177	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:18.338270903 CET	60522	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:18.346215010 CET	53	60522	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:18.354338884 CET	54010	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:18.363006115 CET	53	54010	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:18.387715101 CET	55683	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:18.395716906 CET	53	55683	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:23.736690044 CET	56932	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:23.744317055 CET	53	56932	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:34.684643030 CET	53230	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:34.691886902 CET	53	53230	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:34.692879915 CET	51717	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:34.700352907 CET	53	51717	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.791140079 CET	49731	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.799201012 CET	53	49731	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.800451994 CET	63333	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.801098108 CET	55322	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.807842970 CET	53	63333	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.808655024 CET	53	55322	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.811367989 CET	61495	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.812020063 CET	57559	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.819205999 CET	53	57559	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.819432020 CET	53	61495	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.823117971 CET	63639	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.823482037 CET	63074	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.831418991 CET	53	63639	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.832403898 CET	53	63074	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:37.834837914 CET	58774	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:37.842448950 CET	53	58774	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:55.577378988 CET	59921	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:10:55.585385084 CET	53	59921	1.1.1.1	192.168.2.4
Oct 27, 2024 16:10:56.201050043 CET	59335	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:11:08.078166008 CET	62282	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:11:08.086083889 CET	53	62282	1.1.1.1	192.168.2.4
Oct 27, 2024 16:11:36.364048958 CET	49232	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:11:36.570899963 CET	53	49232	1.1.1.1	192.168.2.4
Oct 27, 2024 16:11:36.572997093 CET	51068	53	192.168.2.4	1.1.1.1
Oct 27, 2024 16:11:36.580559969 CET	53	51068	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 16:10:09.242130995 CET	192.168.2.4	1.1.1.1	0x89f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:09.256747007 CET	192.168.2.4	1.1.1.1	0x5bb4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:11.196909904 CET	192.168.2.4	1.1.1.1	0xce97	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.197293997 CET	192.168.2.4	1.1.1.1	0x4ecc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.211500883 CET	192.168.2.4	1.1.1.1	0x9c79	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.218856096 CET	192.168.2.4	1.1.1.1	0x44a2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.219614029 CET	192.168.2.4	1.1.1.1	0x147f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:11.230272055 CET	192.168.2.4	1.1.1.1	0x38cb	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:11.615506887 CET	192.168.2.4	1.1.1.1	0xc20	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.626207113 CET	192.168.2.4	1.1.1.1	0x28bd	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.925637960 CET	192.168.2.4	1.1.1.1	0x7410	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.115525007 CET	192.168.2.4	1.1.1.1	0x8df8	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.300622940 CET	192.168.2.4	1.1.1.1	0x8279	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.300762892 CET	192.168.2.4	1.1.1.1	0x47bc	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.301477909 CET	192.168.2.4	1.1.1.1	0x8298	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.311196089 CET	192.168.2.4	1.1.1.1	0x45a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:12.311623096 CET	192.168.2.4	1.1.1.1	0x2edb	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:12.312072039 CET	192.168.2.4	1.1.1.1	0x62e0	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:12.319252014 CET	192.168.2.4	1.1.1.1	0x990	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.327877998 CET	192.168.2.4	1.1.1.1	0xfc56	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:12.650238037 CET	192.168.2.4	1.1.1.1	0x1b12	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.966629982 CET	192.168.2.4	1.1.1.1	0x48f8	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.966819048 CET	192.168.2.4	1.1.1.1	0x4830	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:13.574151993 CET	192.168.2.4	1.1.1.1	0xb2d8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:13.585855007 CET	192.168.2.4	1.1.1.1	0xae97	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:13.601250887 CET	192.168.2.4	1.1.1.1	0xe6b2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:13.939784050 CET	192.168.2.4	1.1.1.1	0xf887	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.490443945 CET	192.168.2.4	1.1.1.1	0xd14d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.669230938 CET	192.168.2.4	1.1.1.1	0xb0bb	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.669787884 CET	192.168.2.4	1.1.1.1	0x50a6	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.691682100 CET	192.168.2.4	1.1.1.1	0xb3ad	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.691943884 CET	192.168.2.4	1.1.1.1	0xb2d4	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.691943884 CET	192.168.2.4	1.1.1.1	0xc876	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.709212065 CET	192.168.2.4	1.1.1.1	0x66a5	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.709767103 CET	192.168.2.4	1.1.1.1	0xfc26	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.710352898 CET	192.168.2.4	1.1.1.1	0xc7ac	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.730686903 CET	192.168.2.4	1.1.1.1	0xff4b	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.735940933 CET	192.168.2.4	1.1.1.1	0xe408	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.736556053 CET	192.168.2.4	1.1.1.1	0x601f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.748169899 CET	192.168.2.4	1.1.1.1	0xba92	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.754760981 CET	192.168.2.4	1.1.1.1	0xeac5	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.755114079 CET	192.168.2.4	1.1.1.1	0x2e50	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.757503033 CET	192.168.2.4	1.1.1.1	0xef2d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762680054 CET	192.168.2.4	1.1.1.1	0x1211	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.763122082 CET	192.168.2.4	1.1.1.1	0x5d26	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:14.765486956 CET	192.168.2.4	1.1.1.1	0x4e4f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:18.338270903 CET	192.168.2.4	1.1.1.1	0xe19a	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:18.354338884 CET	192.168.2.4	1.1.1.1	0x8737	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:18.387715101 CET	192.168.2.4	1.1.1.1	0x7d01	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:23.736690044 CET	192.168.2.4	1.1.1.1	0x5f50	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:34.684643030 CET	192.168.2.4	1.1.1.1	0x2f03	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:34.692879915 CET	192.168.2.4	1.1.1.1	0xd740	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:37.791140079 CET	192.168.2.4	1.1.1.1	0xa1f5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.800451994 CET	192.168.2.4	1.1.1.1	0x1cb0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 16:10:37.801098108 CET	192.168.2.4	1.1.1.1	0x4dea	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.811367989 CET	192.168.2.4	1.1.1.1	0x3ae3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.812020063 CET	192.168.2.4	1.1.1.1	0xfaad	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.823117971 CET	192.168.2.4	1.1.1.1	0x5055	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 27, 2024 16:10:37.823482037 CET	192.168.2.4	1.1.1.1	0xdaad	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.834837914 CET	192.168.2.4	1.1.1.1	0x277c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:55.577378988 CET	192.168.2.4	1.1.1.1	0x16a8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:10:56.201050043 CET	192.168.2.4	1.1.1.1	0xefc4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:11:08.078166008 CET	192.168.2.4	1.1.1.1	0x7356	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 16:11:36.364048958 CET	192.168.2.4	1.1.1.1	0xce15	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:11:36.572997093 CET	192.168.2.4	1.1.1.1	0x8842	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 16:10:00.313534975 CET	1.1.1.1	192.168.2.4	0x855f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:00.313534975 CET	1.1.1.1	192.168.2.4	0x855f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:09.227241039 CET	1.1.1.1	192.168.2.4	0x159c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:09.250824928 CET	1.1.1.1	192.168.2.4	0x89f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.204685926 CET	1.1.1.1	192.168.2.4	0xce97	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.204705954 CET	1.1.1.1	192.168.2.4	0x4ecc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:11.204705954 CET	1.1.1.1	192.168.2.4	0x4ecc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.219053984 CET	1.1.1.1	192.168.2.4	0x9c79	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.226424932 CET	1.1.1.1	192.168.2.4	0x44a2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:11.228003025 CET	1.1.1.1	192.168.2.4	0x147f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:11.244599104 CET	1.1.1.1	192.168.2.4	0x38cb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 16:10:12.293298960 CET	1.1.1.1	192.168.2.4	0xc20	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.293416023 CET	1.1.1.1	192.168.2.4	0x28bd	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.293416023 CET	1.1.1.1	192.168.2.4	0x28bd	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.293804884 CET	1.1.1.1	192.168.2.4	0x7410	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.293804884 CET	1.1.1.1	192.168.2.4	0x7410	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.294301033 CET	1.1.1.1	192.168.2.4	0x2418	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.294301033 CET	1.1.1.1	192.168.2.4	0x2418	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.294785023 CET	1.1.1.1	192.168.2.4	0x8df8	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.294785023 CET	1.1.1.1	192.168.2.4	0x8df8	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.294785023 CET	1.1.1.1	192.168.2.4	0x8df8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.307955980 CET	1.1.1.1	192.168.2.4	0x8279	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.308621883 CET	1.1.1.1	192.168.2.4	0x8298	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.308906078 CET	1.1.1.1	192.168.2.4	0x47bc	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.319411993 CET	1.1.1.1	192.168.2.4	0x62e0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 16:10:12.327178955 CET	1.1.1.1	192.168.2.4	0x990	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.657665968 CET	1.1.1.1	192.168.2.4	0x1b12	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:12.974164963 CET	1.1.1.1	192.168.2.4	0x4830	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.974164963 CET	1.1.1.1	192.168.2.4	0x4830	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:12.974239111 CET	1.1.1.1	192.168.2.4	0x48f8	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:13.581964970 CET	1.1.1.1	192.168.2.4	0xb2d8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:13.598066092 CET	1.1.1.1	192.168.2.4	0xae97	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670566082 CET	1.1.1.1	192.168.2.4	0x4a2c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670583010 CET	1.1.1.1	192.168.2.4	0xd14d	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670653105 CET	1.1.1.1	192.168.2.4	0x621d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670653105 CET	1.1.1.1	192.168.2.4	0x621d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670769930 CET	1.1.1.1	192.168.2.4	0xf887	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.670769930 CET	1.1.1.1	192.168.2.4	0xf887	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.678458929 CET	1.1.1.1	192.168.2.4	0xb0bb	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.678458929 CET	1.1.1.1	192.168.2.4	0xb0bb	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.678662062 CET	1.1.1.1	192.168.2.4	0x50a6	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.678662062 CET	1.1.1.1	192.168.2.4	0x50a6	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.699467897 CET	1.1.1.1	192.168.2.4	0xb3ad	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.699527979 CET	1.1.1.1	192.168.2.4	0xb2d4	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.704634905 CET	1.1.1.1	192.168.2.4	0xc876	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.717611074 CET	1.1.1.1	192.168.2.4	0x66a5	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.717645884 CET	1.1.1.1	192.168.2.4	0xfc26	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.717645884 CET	1.1.1.1	192.168.2.4	0xfc26	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.717645884 CET	1.1.1.1	192.168.2.4	0xfc26	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.717645884 CET	1.1.1.1	192.168.2.4	0xfc26	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.718142033 CET	1.1.1.1	192.168.2.4	0xc7ac	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 27, 2024 16:10:14.738128901 CET	1.1.1.1	192.168.2.4	0xff4b	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:14.738128901 CET	1.1.1.1	192.168.2.4	0xff4b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.738128901 CET	1.1.1.1	192.168.2.4	0xff4b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.738128901 CET	1.1.1.1	192.168.2.4	0xff4b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.738128901 CET	1.1.1.1	192.168.2.4	0xff4b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.743717909 CET	1.1.1.1	192.168.2.4	0x601f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.743731976 CET	1.1.1.1	192.168.2.4	0xe408	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762228012 CET	1.1.1.1	192.168.2.4	0x2e50	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762550116 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762550116 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762550116 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.762550116 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:14.764818907 CET	1.1.1.1	192.168.2.4	0xef2d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:15.614923954 CET	1.1.1.1	192.168.2.4	0x3b6b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:18.346215010 CET	1.1.1.1	192.168.2.4	0xe19a	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:18.346215010 CET	1.1.1.1	192.168.2.4	0xe19a	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:18.346215010 CET	1.1.1.1	192.168.2.4	0xe19a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:18.363006115 CET	1.1.1.1	192.168.2.4	0x8737	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:34.691886902 CET	1.1.1.1	192.168.2.4	0x2f03	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.789031982 CET	1.1.1.1	192.168.2.4	0x6e90	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:37.789031982 CET	1.1.1.1	192.168.2.4	0x6e90	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.799201012 CET	1.1.1.1	192.168.2.4	0xa1f5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.808655024 CET	1.1.1.1	192.168.2.4	0x4dea	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.808655024 CET	1.1.1.1	192.168.2.4	0x4dea	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.808655024 CET	1.1.1.1	192.168.2.4	0x4dea	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.808655024 CET	1.1.1.1	192.168.2.4	0x4dea	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819205999 CET	1.1.1.1	192.168.2.4	0xfaad	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819205999 CET	1.1.1.1	192.168.2.4	0xfaad	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819432020 CET	1.1.1.1	192.168.2.4	0x3ae3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819432020 CET	1.1.1.1	192.168.2.4	0x3ae3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819432020 CET	1.1.1.1	192.168.2.4	0x3ae3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.819432020 CET	1.1.1.1	192.168.2.4	0x3ae3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:37.832403898 CET	1.1.1.1	192.168.2.4	0xdaad	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:10:39.159902096 CET	1.1.1.1	192.168.2.4	0xea96	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:39.159902096 CET	1.1.1.1	192.168.2.4	0xea96	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:56.208813906 CET	1.1.1.1	192.168.2.4	0xefc4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 16:10:56.208813906 CET	1.1.1.1	192.168.2.4	0xefc4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:11:08.067750931 CET	1.1.1.1	192.168.2.4	0x66b8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 16:11:36.570899963 CET	1.1.1.1	192.168.2.4	0xce15	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	34.107.221.82	80	7956	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 16:10:12.294925928 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:12.887749910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75554 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49754	34.107.221.82	80	7956	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 16:10:13.043607950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:14.663053036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14346 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:14.664155006 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14346 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:14.665417910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14346 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:14.667399883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14346 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:14.693545103 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:14.823287964 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14347 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:14.911003113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:15.041265011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14347 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:15.604633093 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:15.734673023 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14348 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:15.757575035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:15.890646935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14348 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:22.673546076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:22.804265022 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14355 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:24.484606981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:24.625457048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14357 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:25.566106081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:25.696259975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14358 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:35.436772108 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:35.573174000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14368 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:38.558749914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:38.688638926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14371 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:39.238720894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:39.368573904 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14372 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:10:49.369596004 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:10:56.330014944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:10:56.460372925 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14389 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:11:06.474540949 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:08.888809919 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:11:09.020380020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14401 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:11:09.541306973 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:11:09.671364069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14402 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:11:14.108611107 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:11:14.238343954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14407 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:11:24.239192009 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:34.263501883 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:37.330851078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 16:11:37.461119890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 14430 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 16:11:47.473521948 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:57.480444908 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:12:07.497078896 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49757	34.107.221.82	80	7956	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 16:10:13.583652973 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:14.665630102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75556 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:14.666522980 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75556 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:14.667644978 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75556 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:14.773068905 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:14.899622917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75556 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:15.282674074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:15.409038067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:15.605696917 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:15.733591080 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:18.344399929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:18.471740007 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75560 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:23.730714083 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:23.859225035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75565 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:24.660609961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:24.787761927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75566 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:34.797017097 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:10:35.305999041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:35.432884932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75577 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:38.426491022 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:38.553174019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75580 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:39.109781027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:39.236248016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75581 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:10:49.237920046 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:10:56.200660944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:10:56.327548981 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75598 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:11:06.342940092 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:08.758263111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:11:08.885839939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75610 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:11:09.412214041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:11:09.538470030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75611 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:11:13.979650021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:11:14.106161118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75616 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:11:24.108716965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:34.114670038 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:37.200313091 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 16:11:37.327208042 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 18:10:58 GMT Age: 75639 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 16:11:47.335458994 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:11:57.364501953 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 16:12:07.383018017 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	11:10:02
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfc0000
File size:	919'552 bytes
MD5 hash:	E019CBB1029010358E34B47BCD26F96E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1775790580.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:10:02
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x170000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:10:02
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x170000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x170000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x170000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:10:05
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x170000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:10:05
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:10:05
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:10:05
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	11:10:06
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6e55d6-3507-42fc-a6ff-2bbf3adcec51} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e6ef10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:10:08
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -parentBuildID 20230927232528 -prefsHandle 4208 -prefMapHandle 4220 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d612c-979a-427a-99fc-91fa3c906465} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b52e7bc10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:10:12
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b8d9af-cf91-4aa6-9054-6272d401c2b9} 7956 "\\.\pipe\gecko-crash-server-pipe.7956" 22b642a8110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1565
Total number of Limit Nodes:	54

Executed Functions

Function 00FC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FC430D

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

GetCurrentProcess.KERNEL32(?,0105CB64,00000000,?,?), ref: 00FC4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FC4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FC4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FC4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FC447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FC44A0

Strings

|O, xrefs: 010036F8
GetNativeSystemInfo, xrefs: 00FC4460
kernel32.dll, xrefs: 00FC444F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 494dd4c5d6ee55b917f6dfc0c890869f2ac371f997f6d7695a08aa8926e0f9e4
Instruction ID: 3f7d477aad0342a08738c9175e40d814702504c07a1491ee1366a27fc0b78cb9
Opcode Fuzzy Hash: 494dd4c5d6ee55b917f6dfc0c890869f2ac371f997f6d7695a08aa8926e0f9e4
Instruction Fuzzy Hash: F0A1B136B0A3C3CFD737C76975616A53FF47B26220B18C89DD8C1A7A4AD23A4508DB61

Function 00FC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FC50AA,?,?,00000000,00000000), ref: 00FC42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC50AA,?,?,00000000,00000000), ref: 00FC42C9
LoadResource.KERNEL32(?,00000000,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20), ref: 010035BE
SizeofResource.KERNEL32(?,00000000,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20), ref: 010035D3
LockResource.KERNEL32(00FC50AA,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20,?), ref: 010035E6

Strings

SCRIPT, xrefs: 00FC42BF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4235410384bc762cab5ede1da8cab6bdeca45d6c8433fa4d8a6d50e5de14b4ad
Instruction ID: be72716bdc11c7f8020ab9401f8071fa4b3caddc35a9569bc60400980ef57826
Opcode Fuzzy Hash: 4235410384bc762cab5ede1da8cab6bdeca45d6c8433fa4d8a6d50e5de14b4ad
Instruction Fuzzy Hash: BD11AC70200301BFE7258B65DE4AF677BBDEBC5B51F20456DB84686290DB72E800E630

Function 01002BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FC2B6B

Part of subcall function 00FC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01091418,?,00FC2E7F,?,?,?,00000000), ref: 00FC3A78

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01082224), ref: 01002C10
ShellExecuteW.SHELL32(00000000,?,?,01082224), ref: 01002C17

Strings

runas, xrefs: 01002C0B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8f06db7dfe5c8a2be31493b4006abe9be7e98cb2217133850b685837d0570612
Instruction ID: cbf7ae887d1394f1cdef8d59090d4c5a0e0855b99b2e0244f237a1b178c8fd06
Opcode Fuzzy Hash: 8f06db7dfe5c8a2be31493b4006abe9be7e98cb2217133850b685837d0570612
Instruction Fuzzy Hash: 2511D2316083476ACB15FF20DE57F6EBBA4EB95360F44442CB1C206092CF398A4AA712

Function 0102D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0102D501
Process32FirstW.KERNEL32(00000000,?), ref: 0102D50F
Process32NextW.KERNEL32(00000000,?), ref: 0102D52F
CloseHandle.KERNELBASE(00000000), ref: 0102D5DC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 87785cd84a07750652cd7b855da0f3c8726dd876c64c514e965dd427adf097ca
Instruction ID: 4ac19863c4035e404f2df8e501405690e7404e1df3513f453d907ed129bda6dd
Opcode Fuzzy Hash: 87785cd84a07750652cd7b855da0f3c8726dd876c64c514e965dd427adf097ca
Instruction Fuzzy Hash: B5319E710083019FD311EF54C986EAFBBE8EF99344F54092DF581821A1EBB5A948CBA2

Function 0102DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,01005222), ref: 0102DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0102DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0102DBEE
FindClose.KERNEL32(00000000), ref: 0102DBFA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: bce5978e741563c33c4fb806dc7e7a4ee72ba825df4101d462c2f179f085d9b5
Instruction ID: d27fee451edac0084c1e7186d7e543746e2a3cdb5ad72d073924d8a6adf9f986
Opcode Fuzzy Hash: bce5978e741563c33c4fb806dc7e7a4ee72ba825df4101d462c2f179f085d9b5
Instruction Fuzzy Hash: A1F0A73041072597A3306BBC990D46B37AC9E01375B104742F4B5D20D0EBB55D548795

Function 00FE4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000,?,00FF28E9), ref: 00FE4D09
TerminateProcess.KERNEL32(00000000,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000,?,00FF28E9), ref: 00FE4D10
ExitProcess.KERNEL32 ref: 00FE4D22

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9443e3c33376cda0d0ef766efa3c7589611274697e793ff4432481b89db27a71
Instruction ID: 93bfba5beed54f4bdf10c5ada5d6904e6097fa4f447473c8575523c92e4e32fe
Opcode Fuzzy Hash: 9443e3c33376cda0d0ef766efa3c7589611274697e793ff4432481b89db27a71
Instruction Fuzzy Hash: A8E0B631400388ABDF31AF55DE09A593F6DEF81791B104058FD45CA227CB3AEE42EB80

Function 0104AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0104B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104B1D4
_wcslen.LIBCMT ref: 0104B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104B236
_wcslen.LIBCMT ref: 0104B332

Part of subcall function 010305A7: GetStdHandle.KERNEL32(000000F6), ref: 010305C6

_wcslen.LIBCMT ref: 0104B34B
_wcslen.LIBCMT ref: 0104B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0104B3B6
GetLastError.KERNEL32(00000000), ref: 0104B407
CloseHandle.KERNEL32(?), ref: 0104B439
CloseHandle.KERNEL32(00000000), ref: 0104B44A
CloseHandle.KERNEL32(00000000), ref: 0104B45C
CloseHandle.KERNEL32(00000000), ref: 0104B46E
CloseHandle.KERNEL32(?), ref: 0104B4E3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7f35ec2a997a2f3d055926095d7b577175646e5dceced6b7f0c565e4855b8065
Instruction ID: c49c21d50cbe57a629905fe4e0a37db726549338ffdb7a021979e2c9a131cfa1
Opcode Fuzzy Hash: 7f35ec2a997a2f3d055926095d7b577175646e5dceced6b7f0c565e4855b8065
Instruction Fuzzy Hash: 84F1C1715043419FD714EF28C981B6EBBE5AF85310F1889ADF8C59B2A2CB35EC04CB52

Function 00FCD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FCD807
timeGetTime.WINMM ref: 00FCDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB28
TranslateMessage.USER32(?), ref: 00FCDB7B
DispatchMessageW.USER32(?), ref: 00FCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB9F
Sleep.KERNELBASE(0000000A), ref: 00FCDBB1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5727e8cadf148c081b81d7d63b6892e061997610b2e124869593b82ec881e91b
Instruction ID: e7e81a4a8758e30bdbf9c5ba106af1f2ed58939a420b2356171cb5f732bf19b1
Opcode Fuzzy Hash: 5727e8cadf148c081b81d7d63b6892e061997610b2e124869593b82ec881e91b
Instruction Fuzzy Hash: 9F420130608342EFD739CB24C986FAEBBE1BF85314F14456DE59687281D779E844EB82

Function 00FC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC2D07
RegisterClassExW.USER32(00000030), ref: 00FC2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FC2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC2D6F
LoadIconW.USER32(000000A9), ref: 00FC2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC2D94

Strings

AutoIt v3 GUI, xrefs: 00FC2D23
TaskbarCreated, xrefs: 00FC2D37
0, xrefs: 00FC2CE9
+, xrefs: 00FC2CF0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6afa300eefaf45f8757d058eb65160c87c76e215e09825eb48aabb0c23359ba9
Instruction ID: f6bd92d1ed31fc1d42e7bddbb849b5a773573b0df0de3e8d7feb65056be4834a
Opcode Fuzzy Hash: 6afa300eefaf45f8757d058eb65160c87c76e215e09825eb48aabb0c23359ba9
Instruction Fuzzy Hash: 2D211FB5E01309AFEB10DF94E949BDE7FB8FB08710F00811AF591A6284D7BA0544CF51

Function 0100065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100039A: CreateFileW.KERNELBASE(00000000,00000000,?,01000704,?,?,00000000,?,01000704,00000000,0000000C), ref: 010003B7

GetLastError.KERNEL32 ref: 0100076F
__dosmaperr.LIBCMT ref: 01000776
GetFileType.KERNELBASE(00000000), ref: 01000782
GetLastError.KERNEL32 ref: 0100078C
__dosmaperr.LIBCMT ref: 01000795
CloseHandle.KERNEL32(00000000), ref: 010007B5
CloseHandle.KERNEL32(?), ref: 010008FF
GetLastError.KERNEL32 ref: 01000931
__dosmaperr.LIBCMT ref: 01000938

Strings

H, xrefs: 010008BD

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1957df415e83bfb38dd8fb906b90e26d9e9937177fbd4caf397b29a7823106bc
Instruction ID: 6f2e8e3193ebb7a94ef8146bb6d9854d4ed72ad4c314852319a663df5ae085f7
Opcode Fuzzy Hash: 1957df415e83bfb38dd8fb906b90e26d9e9937177fbd4caf397b29a7823106bc
Instruction Fuzzy Hash: A1A12932A041488FEF1AAF68DC51BAE3BE5EB06360F144199F8959B2D5D7398902CB51

Function 00FC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01091418,?,00FC2E7F,?,?,?,00000000), ref: 00FC3A78

Part of subcall function 00FC3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FC3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0100318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010031CE
RegCloseKey.ADVAPI32(?), ref: 01003210
_wcslen.LIBCMT ref: 01003277
_wcslen.LIBCMT ref: 01003286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00FC3560
Include, xrefs: 01003184, 010031C5
\, xrefs: 0100328C
\Include\, xrefs: 00FC3527

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: bf740abf380259709fd0c4014fc1f9dabee6e24650f7eed298220d6446cf337b
Instruction ID: b7ccdb29df7f383537b286cf6910e05ddac062d75dd8c687715a607023b252e0
Opcode Fuzzy Hash: bf740abf380259709fd0c4014fc1f9dabee6e24650f7eed298220d6446cf337b
Instruction Fuzzy Hash: 11710171408302AED325DF29DD92DABBBE8FF85340F40882EF5C5871A4EB369548CB52

Function 00FC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FC2B9D
LoadIconW.USER32(00000063), ref: 00FC2BB3
LoadIconW.USER32(000000A4), ref: 00FC2BC5
LoadIconW.USER32(000000A2), ref: 00FC2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC2BEF
RegisterClassExW.USER32(?), ref: 00FC2C40

Part of subcall function 00FC2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FC2D07
Part of subcall function 00FC2CD4: RegisterClassExW.USER32(00000030), ref: 00FC2D31
Part of subcall function 00FC2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC2D42
Part of subcall function 00FC2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FC2D5F
Part of subcall function 00FC2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC2D6F
Part of subcall function 00FC2CD4: LoadIconW.USER32(000000A9), ref: 00FC2D85
Part of subcall function 00FC2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC2D94

Strings

AutoIt v3, xrefs: 00FC2C2F
#, xrefs: 00FC2C16
0, xrefs: 00FC2C0F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 040fbf69329962dcd8f146d1bfc46befc4b202b6e5473db25ced5c89c630c4af
Instruction ID: d81656ca3abe46dee2a9684f8bb08950157ee91d2ddb65f98adcfd8c140e6cf5
Opcode Fuzzy Hash: 040fbf69329962dcd8f146d1bfc46befc4b202b6e5473db25ced5c89c630c4af
Instruction Fuzzy Hash: DE216F70F00319AFDB209FA5E965B9E7FB9FB08B60F00C11AF584A6684D7BA0540DF90

Function 00FC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FC316A,?,?), ref: 00FC31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FC316A,?,?), ref: 00FC3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FC316A,?,?), ref: 00FC3232
CreatePopupMenu.USER32 ref: 00FC3246
PostQuitMessage.USER32(00000000), ref: 00FC3267

Strings

TaskbarCreated, xrefs: 00FC322D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: db4620b6ee4e2cfe45399c720e59af9ee4240765c5e14a7e6d6ff331bc848c78
Instruction ID: 28e0acec37f75cc013b3d3723fd178a7b08f997394cc748643f8bede28cd10b8
Opcode Fuzzy Hash: db4620b6ee4e2cfe45399c720e59af9ee4240765c5e14a7e6d6ff331bc848c78
Instruction Fuzzy Hash: D441F436B44207AAEF251B289F1FFBA3A69F7053A0F08C11DF58285585C67A8E40B761

Function 00FC1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FC1459
CoUninitialize.COMBASE ref: 00FC14F8
UnregisterHotKey.USER32(?), ref: 00FC16DD
DestroyWindow.USER32(?), ref: 010024B9
FreeLibrary.KERNEL32(?), ref: 0100251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0100254B

Strings

close all, xrefs: 00FC1454

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 34a927e478dace0988bf5b0ce53bbba34e4dbcde57b39aaeb13a0680af7029c9
Instruction ID: 7c6ab1aa894dd855db04ab9ad1232f0f2f34dae87c09e1c11ba8fae486a649a4
Opcode Fuzzy Hash: 34a927e478dace0988bf5b0ce53bbba34e4dbcde57b39aaeb13a0680af7029c9
Instruction Fuzzy Hash: 5AD18D31701212CFEB1AEF14CA9AF29F7A4BF05710F14419DE58A6B292CB31AC26DF54

Function 00FC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FC1CAD,?), ref: 00FC2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FC1CAD,?), ref: 00FC2CCF

Strings

edit, xrefs: 00FC2CAC
AutoIt v3, xrefs: 00FC2C89, 00FC2C8E, 00FC2C8F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8e1f16d8818497ca4acabb4814aabae637b518d764c7beab87ea6781e773c2a9
Instruction ID: 5d9688299ff6f2ae4b34f8bd608aec288e26528c59b02a55ba07e304d100e932
Opcode Fuzzy Hash: 8e1f16d8818497ca4acabb4814aabae637b518d764c7beab87ea6781e773c2a9
Instruction Fuzzy Hash: 92F0DA756403957AEB311727AC1CE772EBDF7C6F60B00805EF944A6554C67A1850DBB0

Function 00FC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B83

Strings

Control Panel\Mouse, xrefs: 00FC3B3E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 41ad193487217bec13801e172e0f758c9bb709ca1d145f43a0f077032b8a04a1
Instruction ID: 920975529ef44fc8924940794ec411770bb4874ad0007b4bd5afbfff048cf6fd
Opcode Fuzzy Hash: 41ad193487217bec13801e172e0f758c9bb709ca1d145f43a0f077032b8a04a1
Instruction Fuzzy Hash: E3112AB5510209FFDB208FA5DD45EEFB7BCEF45794B108459B805D7114D231AE44AB60

Function 00FC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010033A2

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC3A04

Strings

Line: , xrefs: 010033EB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e36ff8a9d598a5659d56ace4be0c842ab66bffbc1f4cda47ba7af29a16ad24ab
Instruction ID: 16404a1405b5a7c3bbb529c4437ffc05663b6ac4d15c05dc7a6cc76e5ed38f3d
Opcode Fuzzy Hash: e36ff8a9d598a5659d56ace4be0c842ab66bffbc1f4cda47ba7af29a16ad24ab
Instruction Fuzzy Hash: 8431C471908302AAD725EB20DD46FEBB7E8AB44760F00C91EF5D992181DB789648D7C2

Function 00FDFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FE0668

Part of subcall function 00FE32A4: RaiseException.KERNEL32(?,?,?,00FE068A,?,01091444,?,?,?,?,?,?,00FE068A,00FC1129,01088738,00FC1129), ref: 00FE3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FE0685

Strings

Unknown exception, xrefs: 00FE0692

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b3cc78a59c5b195e0840ecb621e3c3a595e8c8e89de172a6d98d073128ef2655
Instruction ID: a26982b27b007776ba85e01f4c44f1d74b33fcdc2e054a89addc7b1f867ce19d
Opcode Fuzzy Hash: b3cc78a59c5b195e0840ecb621e3c3a595e8c8e89de172a6d98d073128ef2655
Instruction Fuzzy Hash: B6F04C34C0038D73CB00B666DC4AD5E777E5E00320BA44136B964D6591EFB5DA69F9C0

Function 00FC10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC1BF4
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC1BFC
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC1C07
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC1C12
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC1C1A
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC1C22

Part of subcall function 00FC1B4A: RegisterWindowMessageW.USER32(00000004,?,00FC12C4), ref: 00FC1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FC136A
OleInitialize.OLE32 ref: 00FC1388
CloseHandle.KERNEL32(00000000,00000000), ref: 010024AB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b2a9d92555eced33a124d7aa752ae152ec2c20670ac7f7363626023c53314b4e
Instruction ID: bbfe7afc9247d8a5404b6c0d388243b25399be5f1322f595769d20ce9fdb6bbe
Opcode Fuzzy Hash: b2a9d92555eced33a124d7aa752ae152ec2c20670ac7f7363626023c53314b4e
Instruction Fuzzy Hash: 0B71BEB4B01303CFC7A5DF79E666A563AE4BB4836435A822ED4DAC7349EB3A4401DF41

Function 0102C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0102C259
KillTimer.USER32(?,00000001,?,?), ref: 0102C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0102C270

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fd81c1002801a3a02b68928e5c86b63ef511787c310921857501ae3e3021d5ab
Instruction ID: fbf22ead45b3b0dccd69268d0d8f6a92ec692d0eefcc666553ff8608426ff950
Opcode Fuzzy Hash: fd81c1002801a3a02b68928e5c86b63ef511787c310921857501ae3e3021d5ab
Instruction Fuzzy Hash: CB31C070900364AFFB728B688955BEBBBECAB03308F00409AD6DE93241C7745688CB51

Function 00FF86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FF85CC,?,01088CC8,0000000C), ref: 00FF8704
GetLastError.KERNEL32(?,00FF85CC,?,01088CC8,0000000C), ref: 00FF870E
__dosmaperr.LIBCMT ref: 00FF8739

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7418355e5935e62ac09d1d5062af30a1ae44b5a6fc9362709758e07106c48809
Instruction ID: 1a03565daf1df0591768c00d9fe49a2ea8702b22a8d99f19423fbaea3f93ad97
Opcode Fuzzy Hash: 7418355e5935e62ac09d1d5062af30a1ae44b5a6fc9362709758e07106c48809
Instruction Fuzzy Hash: 02012F33E0566C16D7246234A84977E77894F82BF8F350119FB14DB1F2DE698C82B250

Function 00FCDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00FCDB7B
DispatchMessageW.USER32(?), ref: 00FCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB9F
Sleep.KERNELBASE(0000000A), ref: 00FCDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 01011CC9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 64066d5ac6e69246021338e9c38bc23ca17488468776ff01dca71f3ade6fdf22
Instruction ID: 773c47c3ae41e8c9dd76354494945b8837317d452429f8852260c0a5772baa24
Opcode Fuzzy Hash: 64066d5ac6e69246021338e9c38bc23ca17488468776ff01dca71f3ade6fdf22
Instruction Fuzzy Hash: A5F030306043459BEB348760DD55F9B73ADEB84310F104519E689870C4DB389448AB15

Function 00FD1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FD17F6

Strings

CALL, xrefs: 00FD17C6

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ceb83898add88dd7c375cdf7aa8c48a89c2f304d71ca85a6d3e2db8ba924d7a6
Instruction ID: c492eb7212ee889249ed87550a13449d768ed7f8fe0acb4011971026f29135bc
Opcode Fuzzy Hash: ceb83898add88dd7c375cdf7aa8c48a89c2f304d71ca85a6d3e2db8ba924d7a6
Instruction Fuzzy Hash: 74228D71608301AFC714DF14C894B2ABBF2BF85314F18895EF4968B361D77AE845EB92

Function 00FC2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01002C8C

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 00FC2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC2DC4

Strings

X, xrefs: 01002C5A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e0d0ac038c4f22cb2a873ef00eced9d9853b6c36123f6d897519b846b9b36f46
Instruction ID: fe06a7654ef8ef8004061d8218dea429e775534935ecdc5ccb0f57e8c1056e6d
Opcode Fuzzy Hash: e0d0ac038c4f22cb2a873ef00eced9d9853b6c36123f6d897519b846b9b36f46
Instruction Fuzzy Hash: A121F671A002489FDB41EF98CC06BEE7BFCAF48314F00805DE445B7241DBB859499F61

Function 00FC3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC3908

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4bc270019ff89160c6572d2bdd5a2de552b1428d5b38104f814a9d688f68fa7a
Instruction ID: 5c204e7e0ba257170d7ec0346614079f5ec164204daf4bc72f40cbce1de50149
Opcode Fuzzy Hash: 4bc270019ff89160c6572d2bdd5a2de552b1428d5b38104f814a9d688f68fa7a
Instruction Fuzzy Hash: 8031E571A043029FE321DF24D585B97BBF8FB49358F00492EF5D983280E775AA04DB52

Function 00FDF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FDF661

Part of subcall function 00FCD730: GetInputState.USER32 ref: 00FCD807

Sleep.KERNEL32(00000000), ref: 0101F2DE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 660789bfd1f83a20929c0e88c65689b487ba4aacbfbbc741a1b94f632cf25d2e
Instruction ID: bf72d76a1acc187c3f99b9aa0c6128e4730fb499662818d942e8ec3f170acc5c
Opcode Fuzzy Hash: 660789bfd1f83a20929c0e88c65689b487ba4aacbfbbc741a1b94f632cf25d2e
Instruction Fuzzy Hash: E9F08C352407069FD310EF69DA4AF6AB7E8FF45760F00002AE89AC7350DB75A800DB90

Function 00FCB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FCBB4E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8b5d7eb2db1cf1a1331f449ca37f5d6dc0b0da97eb1c5d43ddd2bd1039c24cbb
Instruction ID: 0101c83646d7e39d8cd58421a10e5c930c2c7d1f1c4aff9fb3d7accd1ffea18b
Opcode Fuzzy Hash: 8b5d7eb2db1cf1a1331f449ca37f5d6dc0b0da97eb1c5d43ddd2bd1039c24cbb
Instruction Fuzzy Hash: 7E32EE39A0020AAFDB20CF58C996FBE77B9FF44310F148059F985AB259C779AD81DB50

Function 00FC4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E9C
Part of subcall function 00FC4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4EAE
Part of subcall function 00FC4E90: FreeLibrary.KERNEL32(00000000,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EFD

Part of subcall function 00FC4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E62
Part of subcall function 00FC4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4E74
Part of subcall function 00FC4E59: FreeLibrary.KERNEL32(00000000,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E87

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 394744738be42582478fd3187e69f4a6e98ca6ca2ecdef318da3be5cf2fdf765
Instruction ID: 38c69fc5c9b372b08ecc125c5d5efe645e646d9698cce36d9823b6542ee85b88
Opcode Fuzzy Hash: 394744738be42582478fd3187e69f4a6e98ca6ca2ecdef318da3be5cf2fdf765
Instruction Fuzzy Hash: 3D112732600306AADB11EB64DE23FAD77A5AF90B10F10442DF582EB1C1EE78BA44F750

Function 00FF8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FF8440

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: edce4a4a241de026a05265b20d9f47d61c438a3038a35f6edece0a628b5ca420
Instruction ID: e47a4802f7a14a9a696d6bc903762feb9a92c5b2e3106ca53fa6fb03a2be71bd
Opcode Fuzzy Hash: edce4a4a241de026a05265b20d9f47d61c438a3038a35f6edece0a628b5ca420
Instruction Fuzzy Hash: 5C11487190410AAFCB05DF58E940AEE7BF8FF48310F104059F908AB311DB31DA12DBA4

Function 00FEE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 6575b48395feadca492c25c4842b4c8b573b13e40330a849e6aa265d93f3c3d0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B9F02D32521E5897C7313B6BEC05B6B33989F52374F100715F620931E2DF78D806B9A5

Function 00FF3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: edc53aa01d4baa2c12df8418c80fc6c79390c15001a89a12c4da53b3f26c2e98
Instruction ID: 778eefbfe2b9206dd867a760bdabaab3b49194eb98d4f809f9eeb4f60aabd316
Opcode Fuzzy Hash: edc53aa01d4baa2c12df8418c80fc6c79390c15001a89a12c4da53b3f26c2e98
Instruction Fuzzy Hash: A2E0E5339002ACA6E73126779D00BBB3648AF42BF0F050024BE44925A0DB2DED01F2E0

Function 00FC4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4F6D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 11fae70dc0d0a50742fc97cc356fb81ad3187462ae1e160b84ebc6a62625e0d6
Instruction ID: 00176490b57e932445bb75c8ed49d8df0a08591b9683e6ef1734864a95c1e95b
Opcode Fuzzy Hash: 11fae70dc0d0a50742fc97cc356fb81ad3187462ae1e160b84ebc6a62625e0d6
Instruction Fuzzy Hash: 23F03971905752CFDB349F64E5A1E22BBE4AF14329320897EE1EA83610CB32A844EF10

Function 01052A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01052A66

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 69f9ff4f891bfc420f327b25bd40f792b2bd8484188e48ecad99fedfaebb1adf
Instruction ID: 536b7d43b0ca13bcc6e47646145ce2673fb92f77578d67b1943f65e872bd6fc6
Opcode Fuzzy Hash: 69f9ff4f891bfc420f327b25bd40f792b2bd8484188e48ecad99fedfaebb1adf
Instruction Fuzzy Hash: 1EE08636354227EBD794EA30DC808FFB75CEF682957004536EC96C6140DB34999586F0

Function 00FC30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FC314E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4f2b4b33e2223cea422d1651bf34aa93b345079996d3aa01447c2da6dcfa5263
Instruction ID: 24b7bda7e2dea5f7069d8911135eb6a39a16af972f3c1df98b60e5472eb673da
Opcode Fuzzy Hash: 4f2b4b33e2223cea422d1651bf34aa93b345079996d3aa01447c2da6dcfa5263
Instruction Fuzzy Hash: E3F0A770A003059FE7629B24D846BD67BBCB70170CF0041E9A18896185DB794B88CF41

Function 00FC2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC2DC4

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e9e577cd18883ff75f304b67e3b22f478aa794b1776b2a0a90111f3d425c3e50
Instruction ID: e77391dc41d11f49d63a426efd4910a71c04cc4b14d2865739d6450dfa00e898
Opcode Fuzzy Hash: e9e577cd18883ff75f304b67e3b22f478aa794b1776b2a0a90111f3d425c3e50
Instruction Fuzzy Hash: FEE0C272A042245BDB21E2989C0AFEA77EDDFC87D0F0400B5FD4DE7248DA74ED808690

Function 00FC2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FC3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC3908

Part of subcall function 00FCD730: GetInputState.USER32 ref: 00FCD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FC2B6B

Part of subcall function 00FC30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FC314E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 48613a3df053bf9bba27f05d2064ad819cc6e4d9f9a945493775aa149eadcdc6
Instruction ID: a5dcf4c6c7b1ea07d31c528850b97206823e5c669292eaa5a1ba573e289e69d8
Opcode Fuzzy Hash: 48613a3df053bf9bba27f05d2064ad819cc6e4d9f9a945493775aa149eadcdc6
Instruction Fuzzy Hash: FDE0263270430B02CB04BA309E27F7DB3499BD93A1F40443EF18243193CE3D4A4A6351

Function 0100039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01000704,?,?,00000000,?,01000704,00000000,0000000C), ref: 010003B7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c4c9efe135944085e924724e40a1156f1f1a4541a95696372bc148d149fc386
Instruction ID: 712fbde3b941b1b8479a326a237d5645a9e979151e5b82b9cfd291a42f3fdc47
Opcode Fuzzy Hash: 0c4c9efe135944085e924724e40a1156f1f1a4541a95696372bc148d149fc386
Instruction Fuzzy Hash: 75D06C3204020DBBDF128E84DD06EDA3BAAFB48714F014000BE5856020C736E821AB94

Function 00FC1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FC1CBC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: da3c918590189bba73a63bf235de40237521b762a7f4cb8c36a1c5c34e7242d2
Instruction ID: 182a44a9c9bf7b47dde6e8851b29dab68c254b36e30fe60a0da1e9e70a4e6a41
Opcode Fuzzy Hash: da3c918590189bba73a63bf235de40237521b762a7f4cb8c36a1c5c34e7242d2
Instruction Fuzzy Hash: 1CC0483A280305AAF3248A90A96AF117769B348B14F448001F68AA95CB82BB18A0EB50

Non-executed Functions

Function 01059576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0105961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0105969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010596C9
SendMessageW.USER32 ref: 010596F2
GetKeyState.USER32(00000011), ref: 0105978B
GetKeyState.USER32(00000009), ref: 01059798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010597AE
GetKeyState.USER32(00000010), ref: 010597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010597E9
SendMessageW.USER32 ref: 01059810
SendMessageW.USER32(?,00001030,?,01057E95), ref: 01059918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0105992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01059941
SetCapture.USER32(?), ref: 0105994A
ClientToScreen.USER32(?,?), ref: 010599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010599D6
ReleaseCapture.USER32 ref: 010599E1
GetCursorPos.USER32(?), ref: 01059A19
ScreenToClient.USER32(?,?), ref: 01059A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01059A80
SendMessageW.USER32 ref: 01059AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01059AEB
SendMessageW.USER32 ref: 01059B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01059B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01059B4A
GetCursorPos.USER32(?), ref: 01059B68
ScreenToClient.USER32(?,?), ref: 01059B75
GetParent.USER32(?), ref: 01059B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01059BFA
SendMessageW.USER32 ref: 01059C2B
ClientToScreen.USER32(?,?), ref: 01059C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01059CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01059CDE
SendMessageW.USER32 ref: 01059D01
ClientToScreen.USER32(?,?), ref: 01059D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01059D82

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

GetWindowLongW.USER32(?,000000F0), ref: 01059E05

Strings

@GUI_DRAGID, xrefs: 0105997D
F, xrefs: 01059D07

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 1b6f1187f007c1af19ae229154abc8079c07607f21ce77922c3bda243cd91e44
Instruction ID: 0e6ed18d79ba894c3c555f067ea4f27c4f4584d720163989e3adfb90d4744a2b
Opcode Fuzzy Hash: 1b6f1187f007c1af19ae229154abc8079c07607f21ce77922c3bda243cd91e44
Instruction Fuzzy Hash: BA429F34204301EFEBA5CF28C944AABBBE9FF48318F040559FAD9872A1D735A954DB61

Function 01054873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01054908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01054927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0105494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0105495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0105497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01054A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01054A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01054A7E
IsMenu.USER32(?), ref: 01054A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01054AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01054B20
GetWindowLongW.USER32(?,000000F0), ref: 01054B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01054BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01054C82
wsprintfW.USER32 ref: 01054CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01054CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01054CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01054D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01054D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01054D5A

Strings

%d/%02d/%02d, xrefs: 01054CA8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 48e85b1b4a81f1599305b7ed42c90a09728d64a379561c8f0a55be8c00fea624
Instruction ID: 37b8ef6d22b9dd042046fffe9d6d99876d77ffcfd9685c75f8b505ef012d3eb0
Opcode Fuzzy Hash: 48e85b1b4a81f1599305b7ed42c90a09728d64a379561c8f0a55be8c00fea624
Instruction Fuzzy Hash: 2812DE71600314ABFBA58F28CD49FEF7BF8EB45310F044159F996DA291E7789A81CB50

Function 00FDF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FDF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101F474
IsIconic.USER32(00000000), ref: 0101F47D
ShowWindow.USER32(00000000,00000009), ref: 0101F48A
SetForegroundWindow.USER32(00000000), ref: 0101F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0101F4AA
GetCurrentThreadId.KERNEL32 ref: 0101F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0101F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0101F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0101F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0101F4DE
SetForegroundWindow.USER32(00000000), ref: 0101F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F4F6
keybd_event.USER32(00000012,00000000), ref: 0101F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F50B
keybd_event.USER32(00000012,00000000), ref: 0101F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F519
keybd_event.USER32(00000012,00000000), ref: 0101F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F528
keybd_event.USER32(00000012,00000000), ref: 0101F52D
SetForegroundWindow.USER32(00000000), ref: 0101F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0101F557

Strings

Shell_TrayWnd, xrefs: 0101F46F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1141bba8cb92bae80b86c0e35addc1a8c8d86e3936aa6970630ec2c286c80706
Instruction ID: 331bfcaf32d09502f11d482f44fb8eaf535dcfd49d6f11bde361474c9585523c
Opcode Fuzzy Hash: 1141bba8cb92bae80b86c0e35addc1a8c8d86e3936aa6970630ec2c286c80706
Instruction Fuzzy Hash: 9D318171A40318BBFB316BB54D4AFBF7EACEB44B50F100055FA41E61C5D6B55A40ABA0

Function 01021201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
Part of subcall function 010216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
Part of subcall function 010216C3: GetLastError.KERNEL32 ref: 0102174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01021286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010212A8
CloseHandle.KERNEL32(?), ref: 010212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010212D1
GetProcessWindowStation.USER32 ref: 010212EA
SetProcessWindowStation.USER32(00000000), ref: 010212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01021310

Part of subcall function 010210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010211FC), ref: 010210D4
Part of subcall function 010210BF: CloseHandle.KERNEL32(?,?,010211FC), ref: 010210E9

Strings

default, xrefs: 0102130B
, xrefs: 0102125A
winsta0, xrefs: 010212CC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4909dc846a4e717fb5bf1b2f1490820a715fb42e1945e503bc2755d1a53d364e
Instruction ID: d44aa1537f2cbd66b1101665efa5a339290571c67f52deb3135ffb2ff47dcfb4
Opcode Fuzzy Hash: 4909dc846a4e717fb5bf1b2f1490820a715fb42e1945e503bc2755d1a53d364e
Instruction Fuzzy Hash: E3819A71900319ABEF219FA8DD48BEF7FBDEF08704F044169FA95A6190CB359A44CB60

Function 01020B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
Part of subcall function 010210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
Part of subcall function 010210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
Part of subcall function 010210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01020BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01020C00
GetLengthSid.ADVAPI32(?), ref: 01020C17
GetAce.ADVAPI32(?,00000000,?), ref: 01020C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01020C6D
GetLengthSid.ADVAPI32(?), ref: 01020C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01020C8C
HeapAlloc.KERNEL32(00000000), ref: 01020C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01020CB4
CopySid.ADVAPI32(00000000), ref: 01020CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01020CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01020D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01020D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D45
HeapFree.KERNEL32(00000000), ref: 01020D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D55
HeapFree.KERNEL32(00000000), ref: 01020D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D65
HeapFree.KERNEL32(00000000), ref: 01020D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01020D78
HeapFree.KERNEL32(00000000), ref: 01020D7F

Part of subcall function 01021193: GetProcessHeap.KERNEL32(00000008,01020BB1,?,00000000,?,01020BB1,?), ref: 010211A1
Part of subcall function 01021193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01020BB1,?), ref: 010211A8
Part of subcall function 01021193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01020BB1,?), ref: 010211B7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 115b31bdc6c5d6423ed3d935229af557cbc630c20ae342d968b8f771cc619441
Instruction ID: bae5a590c52165fdd402abc3b1185bd15575afeb457536dfeb63d71656e56e3e
Opcode Fuzzy Hash: 115b31bdc6c5d6423ed3d935229af557cbc630c20ae342d968b8f771cc619441
Instruction Fuzzy Hash: 05717B7190131AABEF209FA8DD44BAFBBBCFF05210F144195FA94A7184D775A905CF60

Function 0103EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0105CC08), ref: 0103EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0103EB37
GetClipboardData.USER32(0000000D), ref: 0103EB43
CloseClipboard.USER32 ref: 0103EB4F
GlobalLock.KERNEL32(00000000), ref: 0103EB87
CloseClipboard.USER32 ref: 0103EB91
GlobalUnlock.KERNEL32(00000000), ref: 0103EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0103EBC9
GetClipboardData.USER32(00000001), ref: 0103EBD1
GlobalLock.KERNEL32(00000000), ref: 0103EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0103EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0103EC38
GetClipboardData.USER32(0000000F), ref: 0103EC44
GlobalLock.KERNEL32(00000000), ref: 0103EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0103EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0103EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0103ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0103ECF3
CountClipboardFormats.USER32 ref: 0103ED14
CloseClipboard.USER32 ref: 0103ED59

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 834156342f4acd7dd67356c31521db4a803da1d9d8503313f3d9bb63725fc981
Instruction ID: 311361c12d20126466a44b7d0274b727257dda77279495eba95859b1b75ad4bd
Opcode Fuzzy Hash: 834156342f4acd7dd67356c31521db4a803da1d9d8503313f3d9bb63725fc981
Instruction Fuzzy Hash: 0261BD342043029FE311EF28D989F6B7BECAF84744F04465DF5969B292CB36E905CB62

Function 0103698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010369BE
FindClose.KERNEL32(00000000), ref: 01036A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01036A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01036A75

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01036AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01036ADF

Strings

%4d, xrefs: 01036BB1
%02d, xrefs: 01036C00, 01036C0A, 01036C5A, 01036CAA, 01036CFA, 01036D4A
%03d, xrefs: 01036DA2
%4d%02d%02d%02d%02d%02d, xrefs: 01036B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01036B32

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6a13e1ced346dd039c685076c5f91c41c45f83a9b3156558fe1bfd920f7b6c75
Instruction ID: 2fd27a702a3d179e8bc88e7372e107b7164bdd92182137c90325da54ab8f6c0d
Opcode Fuzzy Hash: 6a13e1ced346dd039c685076c5f91c41c45f83a9b3156558fe1bfd920f7b6c75
Instruction Fuzzy Hash: 72D16171508301AFC310EBA4CD86EABB7ECAF88704F44491DF589C7191EB79DA48DB62

Function 01039642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 01039663
GetFileAttributesW.KERNEL32(?), ref: 010396A1
SetFileAttributesW.KERNEL32(?,?), ref: 010396BB
FindNextFileW.KERNEL32(00000000,?), ref: 010396D3
FindClose.KERNEL32(00000000), ref: 010396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0103974A
SetCurrentDirectoryW.KERNEL32(01086B7C), ref: 01039768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01039772
FindClose.KERNEL32(00000000), ref: 0103977F
FindClose.KERNEL32(00000000), ref: 0103978F

Strings

*.*, xrefs: 010396F5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dfeeb207d586b90aa82567352cd6d785d7268ac64b3e65ebc15c0cb75d3f6b4d
Instruction ID: 0219ee0fd28c65513eeaa46f049b7a9beb8709553e783ea67e633c67c357fd45
Opcode Fuzzy Hash: dfeeb207d586b90aa82567352cd6d785d7268ac64b3e65ebc15c0cb75d3f6b4d
Instruction Fuzzy Hash: 6431F63254131A6BEF25AEB9DD49ADF37ECAF89364F004099F985E2090DB75DA40CB10

Function 0103979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 010397BE
FindNextFileW.KERNEL32(00000000,?), ref: 01039819
FindClose.KERNEL32(00000000), ref: 01039824
FindFirstFileW.KERNEL32(*.*,?), ref: 01039840
SetCurrentDirectoryW.KERNEL32(?), ref: 01039890
SetCurrentDirectoryW.KERNEL32(01086B7C), ref: 010398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010398B8
FindClose.KERNEL32(00000000), ref: 010398C5
FindClose.KERNEL32(00000000), ref: 010398D5

Part of subcall function 0102DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0102DB00

Strings

*.*, xrefs: 0103983B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c540f1cacf66347769245ac47cfe424e262f2274e6714fda17d7cee1c6c9db9d
Instruction ID: 6920a7e7dd58097cdacc3a4412870bcfabd814143e3ae5bb89e6f7322b1ac887
Opcode Fuzzy Hash: c540f1cacf66347769245ac47cfe424e262f2274e6714fda17d7cee1c6c9db9d
Instruction Fuzzy Hash: CF31D83150031AAAEF20EFB9DC48ADF77AC9FC5328F104195E9D4A2090DB75DA85CF20

Function 0104BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0104BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0104BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0104C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0104C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0104C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0104C382
RegCloseKey.ADVAPI32(00000000), ref: 0104C38F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: e954a0abc8b527469454e096e37978d12333aa1014ca7e8958ff05ac2c560c52
Instruction ID: 462e98666f7c842b9bbcf6eee79e3e32730b3c4fcd7a5c02117279ab54e336b1
Opcode Fuzzy Hash: e954a0abc8b527469454e096e37978d12333aa1014ca7e8958ff05ac2c560c52
Instruction Fuzzy Hash: F7025EB06042019FE754DF28C9D5E2ABBE5AF89304F08C4ADF48ACB2A2D735ED45CB51

Function 01038195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01038257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01038267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01038273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01038310
SetCurrentDirectoryW.KERNEL32(?), ref: 01038324
SetCurrentDirectoryW.KERNEL32(?), ref: 01038356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0103838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01038395

Strings

*.*, xrefs: 0103839B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5389c8b56dff6d4a075111b060ca9c5f098966cb6719c868349e033bf4162161
Instruction ID: 321a77dde669468b071760b66c341c880a23f9653e6890e325a5764938d08e91
Opcode Fuzzy Hash: 5389c8b56dff6d4a075111b060ca9c5f098966cb6719c868349e033bf4162161
Instruction Fuzzy Hash: 106179725083059FD710EF64C841AAEB3ECFF89310F04896EF98987251DB35E945CB92

Function 0102D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

FindFirstFileW.KERNEL32(?,?), ref: 0102D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0102D1DD
MoveFileW.KERNEL32(?,?), ref: 0102D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0102D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102D237

Part of subcall function 0102D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0102D21C,?,?), ref: 0102D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0102D253
FindClose.KERNEL32(00000000), ref: 0102D264

Strings

\*.*, xrefs: 0102D0CD, 0102D0D6, 0102D0EB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f0f278f16bb3a587c47d388544575d5cf8b9602268aa2628accd3a82e7d63ed2
Instruction ID: fef3b001b582a705cb6d1456ab7a70412837557168ad6788be1d120fc23bc476
Opcode Fuzzy Hash: f0f278f16bb3a587c47d388544575d5cf8b9602268aa2628accd3a82e7d63ed2
Instruction Fuzzy Hash: A661913180521EABDF05EBE0DE52EEDB7B9AF11300F6041A9E44173191EB35AF09DB60

Function 0103ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0103ED91
EmptyClipboard.USER32 ref: 0103ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0103EDAC
CloseClipboard.USER32 ref: 0103EEA3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8a0998b570a7fd927d8537d6b7b87c1469e2c6f07ab9cb6dc8fa0488d421eca0
Instruction ID: b7054f31319a807178eea07454530da50aaaaa5ca5a4f7e8669481ee1f01f458
Opcode Fuzzy Hash: 8a0998b570a7fd927d8537d6b7b87c1469e2c6f07ab9cb6dc8fa0488d421eca0
Instruction Fuzzy Hash: A8418F352046119FE721DF19D549F1ABBE9EF84318F04C19DE49A8B662C73AFD42CBA0

Function 0102E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
Part of subcall function 010216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
Part of subcall function 010216C3: GetLastError.KERNEL32 ref: 0102174A

ExitWindowsEx.USER32(?,00000000), ref: 0102E932

Strings

, xrefs: 0102E920
, xrefs: 0102E95C
SeShutdownPrivilege, xrefs: 0102E902
@, xrefs: 0102E925

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 27d6e603dee98ca98cf012b2f90f744a3e7fa7cc401bcfb9a1cf6aa984207f65
Instruction ID: dd4ca136a057015e0c6dc27d20dbbf1418011539c48f3149a165f614c5a8e031
Opcode Fuzzy Hash: 27d6e603dee98ca98cf012b2f90f744a3e7fa7cc401bcfb9a1cf6aa984207f65
Instruction Fuzzy Hash: C4012132790331ABFBA422B8DC89BFF72ACAB14740F050823FDC2E20C1D6A55C4082A0

Function 01041204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01041276
WSAGetLastError.WSOCK32 ref: 01041283
bind.WSOCK32(00000000,?,00000010), ref: 010412BA
WSAGetLastError.WSOCK32 ref: 010412C5
closesocket.WSOCK32(00000000), ref: 010412F4
listen.WSOCK32(00000000,00000005), ref: 01041303
WSAGetLastError.WSOCK32 ref: 0104130D
closesocket.WSOCK32(00000000), ref: 0104133C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9713ddb8fbe2240af1c035b5cba46ea2470d216883cbdf332db00b692d87fa22
Instruction ID: 214b9fa5175c54c2ed7969ca6cb46c521e5ffd492d636fc9460c6b35cbdfb259
Opcode Fuzzy Hash: 9713ddb8fbe2240af1c035b5cba46ea2470d216883cbdf332db00b692d87fa22
Instruction Fuzzy Hash: 864172B56002019FE710DF68C6C5B2ABBE5AF46314F188198D9968F296C775FC81CBA1

Function 0102D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

FindFirstFileW.KERNEL32(?,?), ref: 0102D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0102D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102D481
FindClose.KERNEL32(00000000), ref: 0102D498
FindClose.KERNEL32(00000000), ref: 0102D4A1

Strings

\*.*, xrefs: 0102D3F2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e78550b59e6a0f39c14d5019458134e38721f6d9c6d63b9a51df278ffb0a2560
Instruction ID: c2866105bc6449e56be7b6b7b1a2f873b2face943d47aafb5110255f575d934d
Opcode Fuzzy Hash: e78550b59e6a0f39c14d5019458134e38721f6d9c6d63b9a51df278ffb0a2560
Instruction Fuzzy Hash: 6731C03100C3469BC311EF64C996DEFB7E8AE91304F404A1DF4D593191EB29AA09DB63

Function 00FFE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FFE645

Strings

1#IND, xrefs: 00FFF83D
1#SNAN, xrefs: 00FFF844
1#INF, xrefs: 00FFF852
1#QNAN, xrefs: 00FFF84B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7544f2b9a5ada8875c6b271a97d34d7df2575fcbb5f563d9091a1e7bb8ed7ece
Instruction ID: 436ec4c46dac7e14133e51ad7e5558eb3318101bf8ba322f8346f225f50dd761
Opcode Fuzzy Hash: 7544f2b9a5ada8875c6b271a97d34d7df2575fcbb5f563d9091a1e7bb8ed7ece
Instruction Fuzzy Hash: 6CC22872E086288FDB25CE28DD407EAB7B5EF44314F1441EAD94DE7260E778AE859F40

Function 0103648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010364DC
CoInitialize.OLE32(00000000), ref: 01036639
CoCreateInstance.OLE32(0105FCF8,00000000,00000001,0105FB68,?), ref: 01036650
CoUninitialize.OLE32 ref: 010368D4

Strings

.lnk, xrefs: 010364BA, 01036524, 010365E0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d8e87512891a581520b0b8b2df6c54a72103e066127689412bcc3506a5e60831
Instruction ID: 5ef3b08946887d5a92ce49badcad1ac13a9dac6c238b5d09f932e5d39e84c37b
Opcode Fuzzy Hash: d8e87512891a581520b0b8b2df6c54a72103e066127689412bcc3506a5e60831
Instruction Fuzzy Hash: 7DD14C71508302AFD314EF24C981E6BB7E8FF99704F00496DF5958B291DB75EA09CBA2

Function 01039B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01039B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01039C8B

Part of subcall function 01033874: GetInputState.USER32 ref: 010338CB
Part of subcall function 01033874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01033966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01039BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01039C75

Strings

*.*, xrefs: 01039B5D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: db78dba4c6909937a050f6d6e26e8d71b37948e7bf3fd70bb4db5c25fee65f7b
Instruction ID: 27beb2c24b8ae98e76ab5ca9fcd4206f84f7c98e1078be44732caba84c0bf5a7
Opcode Fuzzy Hash: db78dba4c6909937a050f6d6e26e8d71b37948e7bf3fd70bb4db5c25fee65f7b
Instruction Fuzzy Hash: FF41E03190420E9FDF54DFA8CD89AEEBBF8EF45304F144099E985A3191EB709A84CF60

Function 00FD997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FD9A4E
GetSysColor.USER32(0000000F), ref: 00FD9B23
SetBkColor.GDI32(?,00000000), ref: 00FD9B36

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 31833da6609e2143a8d4a1bd41f99577f51fc1d24d5849ed14128e70c44a1b6e
Instruction ID: ca2c2eb4da478824f0156397c4a03ea55110e2f69cecbcd5f65059825e2e363d
Opcode Fuzzy Hash: 31833da6609e2143a8d4a1bd41f99577f51fc1d24d5849ed14128e70c44a1b6e
Instruction Fuzzy Hash: C4A13D7220C105AEE7759ABC8C58E7F399EEB46354F19020BF582C7789CAAD9D01E371

Function 01041806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
Part of subcall function 0104304E: _wcslen.LIBCMT ref: 0104309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0104185D
WSAGetLastError.WSOCK32 ref: 01041884
bind.WSOCK32(00000000,?,00000010), ref: 010418DB
WSAGetLastError.WSOCK32 ref: 010418E6
closesocket.WSOCK32(00000000), ref: 01041915

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c8f81921fab4b990c985712fd457b06e17f7df474f80e2a111f39c3aba85dcf3
Instruction ID: 17225be6d62dad2d450c22958cf1c0ee48f0ec4fc39055b068d1699a22d68ff0
Opcode Fuzzy Hash: c8f81921fab4b990c985712fd457b06e17f7df474f80e2a111f39c3aba85dcf3
Instruction Fuzzy Hash: 3251B275A00210AFEB10EF24C986F6A77E5AB45718F08849CF9469F3C3C775AD41DBA1

Function 0103CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0103C21E,00000000), ref: 0103CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0103CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFF2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 850466d3961f538a4e6c2ee0cc8d9d74d18cf9830aede3ad71f1983427c5b2fc
Instruction ID: 232d0c838ba6dfaaa9f8975f67dcb0ffa9229ddb79e25cb618eba0c2003f8ed5
Opcode Fuzzy Hash: 850466d3961f538a4e6c2ee0cc8d9d74d18cf9830aede3ad71f1983427c5b2fc
Instruction Fuzzy Hash: 96314B71500705AFFB20DFA9CA84AAFBBFCEB44354B10446FE58AE2141DB34AA41DB60

Function 01051C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01051CC0
IsWindowEnabled.USER32 ref: 01051CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01051CDB
IsIconic.USER32 ref: 01051CE9
IsZoomed.USER32 ref: 01051CF7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 32e8b5d8c35e21b242edebf79fac9104a7ab1c0a6631e04ad730625778572151
Instruction ID: 7cc8d4d636a54c43c6932ff5d5a17d80669bc19c36a29276eb0fac5325233e18
Opcode Fuzzy Hash: 32e8b5d8c35e21b242edebf79fac9104a7ab1c0a6631e04ad730625778572151
Instruction Fuzzy Hash: 8B2182317002055FE7A19F1AC884F6B7FE9AF95315B19809CEC898B341C776E942CBA0

Function 00FC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FC83FA
VUUU, xrefs: 00FC83E8
ERCP, xrefs: 00FC813C
VUUU, xrefs: 01005DF0
VUUU, xrefs: 00FC843C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 84c7209b2ebfdeac303fca8203ba0e57eb9673fd61040f101cbe57270fa62f45
Instruction ID: 5761531ccae8478c7f5ebb8083e5db22ee5ff18f6e2a887ac82dcc23f2e64c94
Opcode Fuzzy Hash: 84c7209b2ebfdeac303fca8203ba0e57eb9673fd61040f101cbe57270fa62f45
Instruction Fuzzy Hash: 97A2C471E0021ACBEF25CF58C941BEEB7B2BF44350F1481AAD855A7281EB719D92DF90

Function 0102AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0102ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0102AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0102AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0102ACC6

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3d1a08232336546ef4a538f0fb08597639f25dcf05e80dbd15a5a8dd302de4e6
Instruction ID: cb07da7f6b819a9f7c72f729c60b9bd1ed655864ee2d37064a988cadca6858eb
Opcode Fuzzy Hash: 3d1a08232336546ef4a538f0fb08597639f25dcf05e80dbd15a5a8dd302de4e6
Instruction Fuzzy Hash: 40310530B0032CEFFF358A68C8047FEBAA9AB89310F24425AE4C5535D1CB7585858751

Function 00FFBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FFBB7F

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

GetTimeZoneInformation.KERNEL32 ref: 00FFBB91
WideCharToMultiByte.KERNEL32(00000000,?,0109121C,000000FF,?,0000003F,?,?), ref: 00FFBC09
WideCharToMultiByte.KERNEL32(00000000,?,01091270,000000FF,?,0000003F,?,?,?,0109121C,000000FF,?,0000003F,?,?), ref: 00FFBC36

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 86aad54daaade346c03adfd23b413c7ab258f7e1b8700ef192847acb84de2a04
Instruction ID: 9ccffa1b0b46d47402ab442287c80a8e310e62f95d32f7950f2f547fb3b29676
Opcode Fuzzy Hash: 86aad54daaade346c03adfd23b413c7ab258f7e1b8700ef192847acb84de2a04
Instruction Fuzzy Hash: BE31A5B1A0820ADFCB21EF69DC9053ABBB8FF45760714429AE290D72B5D7359D10EB50

Function 01028298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010282AA

Strings

(, xrefs: 010282F0
|, xrefs: 010282DA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 06fedc0f1a879d69eaeb17f29739b6a94e67f8390b6870a6ce4f8b0577ca7f9b
Instruction ID: 7bded17634b1b3e194726f4a18006a55a841cd08893e90d937febf2f6b4961eb
Opcode Fuzzy Hash: 06fedc0f1a879d69eaeb17f29739b6a94e67f8390b6870a6ce4f8b0577ca7f9b
Instruction Fuzzy Hash: CF323578A007159FDB28CF59C480AAAB7F0FF48310B15C5AEE59ADB7A1E770E941CB40

Function 01035C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01035CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01035D17
FindClose.KERNEL32(?), ref: 01035D5F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5e48a997ba250bfff918f48f3db0ecf9ceb46a1617a7c564f1ed098592826ca2
Instruction ID: d2ccff3a0134e8d10cec7ab99f683d793317a751db086cdbafc408dc0ee20571
Opcode Fuzzy Hash: 5e48a997ba250bfff918f48f3db0ecf9ceb46a1617a7c564f1ed098592826ca2
Instruction Fuzzy Hash: 6A51BE346047029FD714DF28C899E9AB7E8FF49314F14859DE99A8B3A2CB34E905CF91

Function 00FF2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FF271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FF2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FF2731

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 64141f8094e2e96d5eae7727e213b1800916a055aeeb64179b304c3161b6f9ec
Instruction ID: 711a0c158d5d68478922658299b2fd875a0d71d1bf23aa871b24b4de21e888da
Opcode Fuzzy Hash: 64141f8094e2e96d5eae7727e213b1800916a055aeeb64179b304c3161b6f9ec
Instruction Fuzzy Hash: 6A31E27190131CABCB61DF68DD8879DBBB8AF08310F1041EAE80CA6261EB749F819F44

Function 010351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01035238
SetErrorMode.KERNEL32(00000000), ref: 010352A1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d966ab0932db85a92f87f878442c488e5083dd0a6f8086dea278637cc104e17f
Instruction ID: bdd29b70da8a305b5e3ee7376021596829b1d2fdd36f7dafdcce310bb448e0ab
Opcode Fuzzy Hash: d966ab0932db85a92f87f878442c488e5083dd0a6f8086dea278637cc104e17f
Instruction Fuzzy Hash: 64314D75A002199FDB00DF54D884EADBBB8FF49314F048099E9459B356DB36E855CB90

Function 010216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FE0668
Part of subcall function 00FDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FE0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
GetLastError.KERNEL32 ref: 0102174A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0db6e2ab9867df7bee4385d4585a9d7ec01b64635df8569b380ef835295ed288
Instruction ID: e9ad6e265dfadb5307c68b9c1dc99bc87775a3b01112dcf498a611ea5371d677
Opcode Fuzzy Hash: 0db6e2ab9867df7bee4385d4585a9d7ec01b64635df8569b380ef835295ed288
Instruction Fuzzy Hash: 5411BFB2400304AFE7289F54DC86D6BBBBEFB44724B24852EF49653241EB74B8418B20

Function 0102D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0102D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102D650

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 081fe24d883ee94caa97a9a8dd495e6e45877f7335b3a6ef79f7353a1184f91b
Instruction ID: 45a2c2ff636f757b1feec2c4afd981bc064784261e1f4e3c7a608e08d16ff3ac
Opcode Fuzzy Hash: 081fe24d883ee94caa97a9a8dd495e6e45877f7335b3a6ef79f7353a1184f91b
Instruction Fuzzy Hash: 34117071E01328BBEB208F989848FAFBFBCEB49B50F104151F954E7280C2744A018BA1

Function 01021663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0102168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010216A1
FreeSid.ADVAPI32(?), ref: 010216B1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7a95b4de2922ae3fbe4de3b933d3fde1060eafc29aefa36f6be14e033e88adb7
Instruction ID: d23374d075362a99a9d72787023174c54b349fceea399817a199102c835db8bd
Opcode Fuzzy Hash: 7a95b4de2922ae3fbe4de3b933d3fde1060eafc29aefa36f6be14e033e88adb7
Instruction Fuzzy Hash: 0EF0177195030DBBEF10DFE4D989EAEBBBCFB08604F5045A5F501E2181E775AA448B50

Function 0101D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0101D28C

Strings

X64, xrefs: 0101D2A8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 6835fa94032d5875fc1a5e222b0a598a6a5adaa62c7fcc93458457f52c3a6ed5
Instruction ID: 608f7ef7b891dd94e23563f7082def4bc37fc6f39ff025bddbf41fbc7bf191b6
Opcode Fuzzy Hash: 6835fa94032d5875fc1a5e222b0a598a6a5adaa62c7fcc93458457f52c3a6ed5
Instruction Fuzzy Hash: C9D0C9B580121DEACF90DA90D88CDDEB3BCFB14305F000152F146A2104D77895488F10

Function 00FECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d08603ae0ca4951b2df1bbf2634cc82bc7e6675d4a60f8f8fdf9b8053ccda9a0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: BE021E72E012599FDF14CFA9C8806ADFBF1EF48324F25416AE919E7380D731A9429BD4

Function 010368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01036918
FindClose.KERNEL32(00000000), ref: 01036961

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 584c9afaf52ae5682574c406cb1aa36ffa2db2c15a0c067c6cab76bba909d8eb
Instruction ID: 6febd01ab2f9c91856129150349f55e2957873abcef19cebde7ce7387e746442
Opcode Fuzzy Hash: 584c9afaf52ae5682574c406cb1aa36ffa2db2c15a0c067c6cab76bba909d8eb
Instruction Fuzzy Hash: 6C1193316042019FD710DF29D489E16BBE9FF85328F04C69DE5A98F6A2C735ED05CB91

Function 010337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01044891,?,?,00000035,?), ref: 010337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01044891,?,?,00000035,?), ref: 010337F4

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6c064ccbfb8d9a37f27068511ad4f33e79b21f8aebc69ee65201b966457c18d0
Instruction ID: 833fed41ab56315a35741aa6db471b025caaa71ad9b18fb53b1ed05454983094
Opcode Fuzzy Hash: 6c064ccbfb8d9a37f27068511ad4f33e79b21f8aebc69ee65201b966457c18d0
Instruction Fuzzy Hash: EEF0E5706043292AE73156668D8DFEB3AAEFFC4761F0001A5F509D2285D9609904C7B0

Function 0102B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0102B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0102B270

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 204c725394d5a1df06ac66f6eb7f22480960a5604231a8146a32de4cf10bb1df
Instruction ID: f538fa4fc05bfe5e634ab75b185344a0da3a9944b0e6fbae2387bb50bfd25764
Opcode Fuzzy Hash: 204c725394d5a1df06ac66f6eb7f22480960a5604231a8146a32de4cf10bb1df
Instruction Fuzzy Hash: 83F01D7180434DABEB159FA4C805BAE7FB4FF05309F008049F995A5192C7798255DF94

Function 010210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010211FC), ref: 010210D4
CloseHandle.KERNEL32(?,?,010211FC), ref: 010210E9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f2832eeeac7d3f144eaeac6dd78f338715044d25036713a2312b75c20ec8cfd9
Instruction ID: b30e900a6308abe64fd4218db5345f6a3a91ab5cdfeecb520f5c6ad49050b198
Opcode Fuzzy Hash: f2832eeeac7d3f144eaeac6dd78f338715044d25036713a2312b75c20ec8cfd9
Instruction Fuzzy Hash: 11E04F32004710AEF7252B51FC05E777BEEEB04310B14882EF5A6804B5DB666C90EB50

Function 00FCCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01010C40

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 24efeab0b30379ffd74ba2902da954335322ea9263825674dec4052f4af5c9c9
Instruction ID: 2b53f1eadf3511478ee7b15b90b8eb8923e17de52b7e26059d47b76c47451010
Opcode Fuzzy Hash: 24efeab0b30379ffd74ba2902da954335322ea9263825674dec4052f4af5c9c9
Instruction Fuzzy Hash: B532B37190021ADFDF14DF94CA82FEDB7B5BF05304F14405DE88AAB286C779A945EBA0

Function 00FF676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FF6766,?,?,00000008,?,?,00FFFEFE,00000000), ref: 00FF6998

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7ba4a0d5e85085df9fe3aa6371106e1bc1ccc783735cd3002781d6c5fa2be061
Instruction ID: 354313f1f0b777b3f85ca43f3417393b60c1e1503177cbae3b6d1a13fdb4a6cb
Opcode Fuzzy Hash: 7ba4a0d5e85085df9fe3aa6371106e1bc1ccc783735cd3002781d6c5fa2be061
Instruction Fuzzy Hash: C7B15B32A106089FD715CF28C48AB657BE0FF05364F25865CE999CF2B2CB35E981DB40

Function 00FDB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0101851F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e43d8da97d70a584d342ceb44586fd7867e9ce1f3820b29c6046ec341de75371
Instruction ID: 977a22e6205ed0a2b4300059dca93592301f2cbc33fbe50f6cf017fe6932540e
Opcode Fuzzy Hash: e43d8da97d70a584d342ceb44586fd7867e9ce1f3820b29c6046ec341de75371
Instruction Fuzzy Hash: 2A125D71D00229DBDB65CF58C880BEEB7F5FF48310F15819AE849EB255E7349A81DB90

Function 0103EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0103EABD

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3026ffd2eeb6bcdf85937ec0327aefa22db031fdaca3ce945ce2c3ebed43c290
Instruction ID: e4caa2fd11fa2a5ae3331847a59755932deb3314ffd0be5a6dbeaaa0ed366e34
Opcode Fuzzy Hash: 3026ffd2eeb6bcdf85937ec0327aefa22db031fdaca3ce945ce2c3ebed43c290
Instruction Fuzzy Hash: D0E01A352002059FD710EF59D905E9AB7EDAF98760F00841AFC89C7351DA75B8418BA0

Function 0102E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0102E37E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 54abe1903e54824b5d4b103af54dc5d27a47f0829287d2ed68826575aaf1747b
Instruction ID: edb7a0af1bfd72eb959b9be999aee05d153338ddd201999149cf4042f5612141
Opcode Fuzzy Hash: 54abe1903e54824b5d4b103af54dc5d27a47f0829287d2ed68826575aaf1747b
Instruction Fuzzy Hash: 19D05EF25D03213DFBBD0A3CCE2FF7A698CE302583F40D789F2C289689DA91A4444021

Function 00FE09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FE03EE), ref: 00FE09DA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2a545b325d62e647a4ed04d6cd805365feb3d5a00192d4b91272cfc7b9e86173
Instruction ID: 07aa1ab62765a13b2e25c995c4884a53ef6c5973b04f1a1df51445acaea972c4
Opcode Fuzzy Hash: 2a545b325d62e647a4ed04d6cd805365feb3d5a00192d4b91272cfc7b9e86173
Instruction Fuzzy Hash:

Function 00FE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FE798B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d3076e0523725e7661ee0f5526f578af9a583801f9a89f118c2c194249c1b9ae
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4E515772E0C7C55ADB38B56B88597BF63899F22360F280519D886C7293C619DF06F352

Function 00FF6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69df661e144dc3a2317659699be4f6770122f2617192f9cc97a372e596f9e298
Instruction ID: 09e77f15e3bf31845954a39c74bab6001de4587581a68be259e8834dff5ed2df
Opcode Fuzzy Hash: 69df661e144dc3a2317659699be4f6770122f2617192f9cc97a372e596f9e298
Instruction Fuzzy Hash: A7324532D29F054DD723A534D822335A249AFB73D5F19D737F81AB5AB9EB2AC4835200

Function 00FDCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf033b86711acc4b08b57c169fc7d584d4094a29be09e56e7a53cdff734ac78
Instruction ID: 44e44a2b80ebf2548dbafc9a50a7d9053ef81ef848a4d804c3f0b50e11c1dcea
Opcode Fuzzy Hash: adf033b86711acc4b08b57c169fc7d584d4094a29be09e56e7a53cdff734ac78
Instruction Fuzzy Hash: 9A321532A441868BFF24CE2CC6946BD7BE2FB45314F5885ABD6C5CB289D238DC81DB41

Function 00FC7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918b001b0d446b1eeedc3cccce2e30802dcb6b2ccd0ce77996478ca81c22c06
Instruction ID: 613a6e0f872cd6521dd16cdb7d0693c456e42dd18dce01799eed0921fc69fd05
Opcode Fuzzy Hash: 3918b001b0d446b1eeedc3cccce2e30802dcb6b2ccd0ce77996478ca81c22c06
Instruction Fuzzy Hash: 0322B070A0420A9FEF15DF68CD42BAEB7F6FF44300F144529E856A7291EB3AA914DF50

Function 00FC91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a008c67a846d1e31eeca8c85e983f27fa6a4c0478f1771f0705216b65c893a
Instruction ID: d177964b134e96d0cad2ff45b016fb60ab732028549560e7d5523c76f37f48f4
Opcode Fuzzy Hash: 05a008c67a846d1e31eeca8c85e983f27fa6a4c0478f1771f0705216b65c893a
Instruction Fuzzy Hash: 1202E5B1E0020AEBDB05DF54D981FAEB7B1FF44300F108569E846AB391EB35EA55DB90

Function 00FF9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82902383dfbac00c5c5b8010ca0f2be107a46c31e6790ee30046f4205a356c66
Instruction ID: d7fa066e965204c49bc83e5177812dd3021db1521806f4314ba6f97b163ee36b
Opcode Fuzzy Hash: 82902383dfbac00c5c5b8010ca0f2be107a46c31e6790ee30046f4205a356c66
Instruction Fuzzy Hash: DCB1E230D2AF504DD22396398431336B65CBFBB6D5F51D31BFC5A78E66EB2685834280

Function 00FE1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43484d9248cd1a29405e2a6242537ee91be5855fa17e774d44db07b80a65266d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B4915773A080E349DB29463F857457EFFE16A923B131A079EE4F2CA1C5EE349954F620

Function 00FE1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7be6fdec552788ff537ed4737b04b4cdb89a206e0b443f1f6d4955877d888cb8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3B916573A090E349DB69463B887413EFFE55A923B131A079ED4F2CB1C5FE248A54F620

Function 00FE19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a437e2e9f4909046052c1998d455bbe8649adfc48c261b100111ff3f8ffcda7e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 709122736090E34ADB69467B857407EFFE16A927B131A07AED4F2CA1C1FE348564F620

Function 00FE7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7175a011beb3dbab2e0ead8a57e0e07cd4eb43a3a8aa4924bf7477eb555d4efc
Instruction ID: 44a8783052f87231bf1ada67da925c2f608be6742d1817815eb67942b10368e6
Opcode Fuzzy Hash: 7175a011beb3dbab2e0ead8a57e0e07cd4eb43a3a8aa4924bf7477eb555d4efc
Instruction Fuzzy Hash: A6617D31E087C956DA34B92F4C55BBF3394DF81B60F20092EE843CB2A5D6199E43B315

Function 00FE7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae835cbc875afe3cb709b5258a32d403468c1154cb1db2314d2cd2d104754d3
Instruction ID: fd13c5872ec2815bca2ab240658ae13ee35c7c430b1caa552470d640ead6c463
Opcode Fuzzy Hash: 6ae835cbc875afe3cb709b5258a32d403468c1154cb1db2314d2cd2d104754d3
Instruction Fuzzy Hash: D0618C71E0C7C966DE38792B4C91BBF338ADF42760F14095AE943CB281DA16AD42B315

Function 00FE1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6727b7b9ac030c156ceb72b34f2f726604f9acb74b6c09738b10ced8660034f6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A4813173A090E349DB69463B857447EFFE17A923B131A079DD4F2CA1C1EE349654F620

Function 01032046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72f7951565bf158f85638cbe203f9465f9501a85e4f6c57d7911be7e19c39e3
Instruction ID: 3bb6ba3168c1717527b5c4748e342c11e3bc52c146769921f93703c8ac6f391d
Opcode Fuzzy Hash: e72f7951565bf158f85638cbe203f9465f9501a85e4f6c57d7911be7e19c39e3
Instruction Fuzzy Hash: 0821BB326215118BD728CE79C82267EB3D9B794310F15866EE4E7C77C5DE3AA904C780

Function 01042ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01042B30
DeleteObject.GDI32(00000000), ref: 01042B43
DestroyWindow.USER32 ref: 01042B52
GetDesktopWindow.USER32 ref: 01042B6D
GetWindowRect.USER32(00000000), ref: 01042B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01042CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01042CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042CF8
GetClientRect.USER32(00000000,?), ref: 01042D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01042D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D80
GlobalLock.KERNEL32(00000000), ref: 01042D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D98
GlobalUnlock.KERNEL32(00000000), ref: 01042DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042DA8
GlobalFree.KERNEL32(00000000), ref: 01042DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0105FC38,00000000), ref: 01042DDB
GlobalFree.KERNEL32(00000000), ref: 01042DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01042E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01042E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104303F

Strings

DISPLAY, xrefs: 01042EA2
AutoIt v3, xrefs: 01042CF2
static, xrefs: 01042D3A, 01042E91
, xrefs: 01042FC5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 82e9476434833e86ff5a114f90bed55c8827ad85320438cd50881f6f5473c312
Instruction ID: 789e72ef46ab67acddda58bcff33a066200c627709fe256cb874bd805592c40f
Opcode Fuzzy Hash: 82e9476434833e86ff5a114f90bed55c8827ad85320438cd50881f6f5473c312
Instruction Fuzzy Hash: 81028EB5600209AFEB24DF64DD89EAF7BB9FB48310F048558F955AB294C739AD00CB60

Function 010570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0105712F
GetSysColorBrush.USER32(0000000F), ref: 01057160
GetSysColor.USER32(0000000F), ref: 0105716C
SetBkColor.GDI32(?,000000FF), ref: 01057186
SelectObject.GDI32(?,?), ref: 01057195
InflateRect.USER32(?,000000FF,000000FF), ref: 010571C0
GetSysColor.USER32(00000010), ref: 010571C8
CreateSolidBrush.GDI32(00000000), ref: 010571CF
FrameRect.USER32(?,?,00000000), ref: 010571DE
DeleteObject.GDI32(00000000), ref: 010571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01057230
FillRect.USER32(?,?,?), ref: 01057262
GetWindowLongW.USER32(?,000000F0), ref: 01057284

Part of subcall function 010573E8: GetSysColor.USER32(00000012), ref: 01057421
Part of subcall function 010573E8: SetTextColor.GDI32(?,?), ref: 01057425
Part of subcall function 010573E8: GetSysColorBrush.USER32(0000000F), ref: 0105743B
Part of subcall function 010573E8: GetSysColor.USER32(0000000F), ref: 01057446
Part of subcall function 010573E8: GetSysColor.USER32(00000011), ref: 01057463
Part of subcall function 010573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01057471
Part of subcall function 010573E8: SelectObject.GDI32(?,00000000), ref: 01057482
Part of subcall function 010573E8: SetBkColor.GDI32(?,00000000), ref: 0105748B
Part of subcall function 010573E8: SelectObject.GDI32(?,?), ref: 01057498
Part of subcall function 010573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010574B7
Part of subcall function 010573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010574CE
Part of subcall function 010573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010574DB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 71145ab39a88124bf4fba59011d4f7345156f7295efab1ced963d65abde3b9c9
Instruction ID: ca04069cb80884e2ff3a99df831c2b1924af4190cefe66d7ff4347fb6dd273a2
Opcode Fuzzy Hash: 71145ab39a88124bf4fba59011d4f7345156f7295efab1ced963d65abde3b9c9
Instruction Fuzzy Hash: FFA1C072008301AFEB619F64DD48E5BBBE9FB49320F500A19FAE2961D0D73AD944DB51

Function 00FD8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FD8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01016AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01016AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01016F43

Part of subcall function 00FD8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD8BE8,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8FC5

SendMessageW.USER32(?,00001053), ref: 01016F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01016F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01016FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01016FB7

Strings

0, xrefs: 01016DCF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 4b75feb04920239a5e12b11e5535ef9cc4b1e5835a04b29fddb8e95cabdec98c
Instruction ID: 4e4aa430e69d626ed9506de72323e62cc59b2801452718bdb23f0d25f514dc46
Opcode Fuzzy Hash: 4b75feb04920239a5e12b11e5535ef9cc4b1e5835a04b29fddb8e95cabdec98c
Instruction Fuzzy Hash: C712E031600201EFDB22CF18C984BA6BBE6FB44310F5844A9F5D58B259CB7BE892DF51

Function 01042711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0104273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0104286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01042900
GetClientRect.USER32(00000000,?), ref: 0104290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01042955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01042964
GetStockObject.GDI32(00000011), ref: 01042974
SelectObject.GDI32(00000000,00000000), ref: 01042978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01042988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01042991
DeleteDC.GDI32(00000000), ref: 0104299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01042A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01042A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01042A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01042A77
GetStockObject.GDI32(00000011), ref: 01042A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01042A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01042A97

Strings

DISPLAY, xrefs: 0104295A
AutoIt v3, xrefs: 010428F8
static, xrefs: 0104294F, 01042A71
msctls_progress32, xrefs: 01042A13

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 329c6572bd57726bc442b526fd2111d0654b2453da57874ae4deaacd0c446578
Instruction ID: e0ef44f62c2f4288697b5e6cdc374dfaaa8e2d3043f1bbec04efe15dc2c4c8a0
Opcode Fuzzy Hash: 329c6572bd57726bc442b526fd2111d0654b2453da57874ae4deaacd0c446578
Instruction Fuzzy Hash: 8BB14CB1A00205AFEB24DF68DD86FAF7BB9FB08710F008558F955E7290D775A940CB64

Function 01034ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01034AED
GetDriveTypeW.KERNEL32(?,0105CB68,?,\\.\,0105CC08), ref: 01034BCA
SetErrorMode.KERNEL32(00000000,0105CB68,?,\\.\,0105CC08), ref: 01034D36

Strings

FileBackedVirtual, xrefs: 01034CEC
Removable, xrefs: 01034C10, 01034C15
Unknown, xrefs: 01034BED, 01034C83
RAMDisk, xrefs: 01034BF4
Network, xrefs: 01034C02
SCSI, xrefs: 01034C8A
SAS, xrefs: 01034CC9
Fibre, xrefs: 01034CAD
SATA, xrefs: 01034CD0
1394, xrefs: 01034C9F
SSA, xrefs: 01034CA6
USB, xrefs: 01034CB4
RAID, xrefs: 01034CBB
Virtual, xrefs: 01034CE5
SSD, xrefs: 01034C4A
MMC, xrefs: 01034CDE
iSCSI, xrefs: 01034CC2
PhysicalDrive, xrefs: 01034B76
Fixed, xrefs: 01034C09
ATAPI, xrefs: 01034C91
ATA, xrefs: 01034C98
CDROM, xrefs: 01034BFB
\\.\, xrefs: 01034B3F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 30e18d0b6fb1e53db457410205f579521ee63f552a5eaa700ee582e001d2dc77
Instruction ID: 1e6e831b9a1810537b8608c90997c37fc1f6f17d55365e984c6b63b1fad8b943
Opcode Fuzzy Hash: 30e18d0b6fb1e53db457410205f579521ee63f552a5eaa700ee582e001d2dc77
Instruction Fuzzy Hash: 9D61D430A1820ADBCB84FF19CA86D6D77E9EB84300B148459F8C6EF252DB76DD85CB41

Function 010573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01057421
SetTextColor.GDI32(?,?), ref: 01057425
GetSysColorBrush.USER32(0000000F), ref: 0105743B
GetSysColor.USER32(0000000F), ref: 01057446
CreateSolidBrush.GDI32(?), ref: 0105744B
GetSysColor.USER32(00000011), ref: 01057463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01057471
SelectObject.GDI32(?,00000000), ref: 01057482
SetBkColor.GDI32(?,00000000), ref: 0105748B
SelectObject.GDI32(?,?), ref: 01057498
InflateRect.USER32(?,000000FF,000000FF), ref: 010574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01057554
InflateRect.USER32(?,000000FD,000000FD), ref: 01057572
DrawFocusRect.USER32(?,?), ref: 0105757D
GetSysColor.USER32(00000011), ref: 0105758E
SetTextColor.GDI32(?,00000000), ref: 01057596
DrawTextW.USER32(?,010570F5,000000FF,?,00000000), ref: 010575A8
SelectObject.GDI32(?,?), ref: 010575BF
DeleteObject.GDI32(?), ref: 010575CA
SelectObject.GDI32(?,?), ref: 010575D0
DeleteObject.GDI32(?), ref: 010575D5
SetTextColor.GDI32(?,?), ref: 010575DB
SetBkColor.GDI32(?,?), ref: 010575E5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f89c27d8b7b726fe3c50f1216b16ab72c76f2a5df72013b94d209403ec4d59b5
Instruction ID: 6060bf5fcd5e182c3553fde11e2f04cf2228b927e4ecb8544467c5e6e4e7233f
Opcode Fuzzy Hash: f89c27d8b7b726fe3c50f1216b16ab72c76f2a5df72013b94d209403ec4d59b5
Instruction Fuzzy Hash: EA618B76900318AFEF119FA8DD48EAFBFB9EB09320F144111FA51AB291D7799940DF90

Function 01050FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01051128
GetDesktopWindow.USER32 ref: 0105113D
GetWindowRect.USER32(00000000), ref: 01051144
GetWindowLongW.USER32(?,000000F0), ref: 01051199
DestroyWindow.USER32(?), ref: 010511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0105121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01051232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01051245
IsWindowVisible.USER32(00000000), ref: 010512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010512D0
GetWindowRect.USER32(00000000,?), ref: 010512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0105130E
GetMonitorInfoW.USER32(00000000,?), ref: 01051328
CopyRect.USER32(?,?), ref: 0105133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010513AA

Strings

tooltips_class32, xrefs: 010511E6
0, xrefs: 010510D3
(, xrefs: 0105131B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9c19c014065b880b5282ef2a52eb8468259bd55f9ab5a80dba6eefd3d8b16364
Instruction ID: 1c2b69344d8a0f295953e99213ca2f50275e59dff825986820b0fbc8b6326440
Opcode Fuzzy Hash: 9c19c014065b880b5282ef2a52eb8468259bd55f9ab5a80dba6eefd3d8b16364
Instruction Fuzzy Hash: 53B17B71608341AFE750DF68C985B6BBBE4FF88350F00895CF9999B291C775E844CBA1

Function 00FD8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD8968
GetSystemMetrics.USER32(00000007), ref: 00FD8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD899B
GetSystemMetrics.USER32(00000008), ref: 00FD89A3
GetSystemMetrics.USER32(00000004), ref: 00FD89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FD89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FD89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FD8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FD8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FD8A5A
GetStockObject.GDI32(00000011), ref: 00FD8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD8A81

Part of subcall function 00FD912D: GetCursorPos.USER32(?), ref: 00FD9141
Part of subcall function 00FD912D: ScreenToClient.USER32(00000000,?), ref: 00FD915E
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000001), ref: 00FD9183
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000002), ref: 00FD919D

SetTimer.USER32(00000000,00000000,00000028,00FD90FC), ref: 00FD8AA8

Strings

AutoIt v3 GUI, xrefs: 00FD8A20

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b71610148178f4bf401570b96cf52a07093fe02b393e872faa856ac14ef841e3
Instruction ID: 4eb4f241528e19fcef9be24c11f9ac05f0c2e3167365c9b84bc3f4eefff2442c
Opcode Fuzzy Hash: b71610148178f4bf401570b96cf52a07093fe02b393e872faa856ac14ef841e3
Instruction Fuzzy Hash: 82B1A171A0030AAFDF14DFA8CD55BAE3BB5FB48320F04421AFA95A7284DB79D841DB51

Function 01020D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
Part of subcall function 010210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
Part of subcall function 010210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
Part of subcall function 010210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01020DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01020E29
GetLengthSid.ADVAPI32(?), ref: 01020E40
GetAce.ADVAPI32(?,00000000,?), ref: 01020E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01020E96
GetLengthSid.ADVAPI32(?), ref: 01020EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01020EB5
HeapAlloc.KERNEL32(00000000), ref: 01020EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01020EDD
CopySid.ADVAPI32(00000000), ref: 01020EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01020F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01020F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01020F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F6E
HeapFree.KERNEL32(00000000), ref: 01020F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F7E
HeapFree.KERNEL32(00000000), ref: 01020F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F8E
HeapFree.KERNEL32(00000000), ref: 01020F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01020FA1
HeapFree.KERNEL32(00000000), ref: 01020FA8

Part of subcall function 01021193: GetProcessHeap.KERNEL32(00000008,01020BB1,?,00000000,?,01020BB1,?), ref: 010211A1
Part of subcall function 01021193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01020BB1,?), ref: 010211A8
Part of subcall function 01021193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01020BB1,?), ref: 010211B7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0d7c4306cb32acf1b9620aed3aef29cbdf605db5fee6bebfcd7a1004a03a58f5
Instruction ID: 414c80a5f7cdc4de5d17ac9ae55a5a01caea83c3c4390766499f9a85f0d528a3
Opcode Fuzzy Hash: 0d7c4306cb32acf1b9620aed3aef29cbdf605db5fee6bebfcd7a1004a03a58f5
Instruction Fuzzy Hash: 8A71697290031AABEF609FA8DD48FAFBBBCFF05310F044155FA99A6184D7359A05CB60

Function 0104C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0105CC08,00000000,?,00000000,?,?), ref: 0104C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0104C5A4
_wcslen.LIBCMT ref: 0104C5F4
_wcslen.LIBCMT ref: 0104C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0104C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0104C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0104C84D
RegCloseKey.ADVAPI32(?), ref: 0104C881
RegCloseKey.ADVAPI32(00000000), ref: 0104C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0104C960

Strings

REG_BINARY, xrefs: 0104C913
REG_QWORD, xrefs: 0104C8C3
REG_EXPAND_SZ, xrefs: 0104C5CD
REG_SZ, xrefs: 0104C644
REG_MULTI_SZ, xrefs: 0104C6F5
REG_DWORD, xrefs: 0104C804

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0016702e1343aaaa2c37ebe2a7b0000bac446f8eb4c3320a3a685a13a12ee5c9
Instruction ID: 9df99fcb117d2011496336e80a294ca21af3ab1e7a82ad56480ba77429ffa7b0
Opcode Fuzzy Hash: 0016702e1343aaaa2c37ebe2a7b0000bac446f8eb4c3320a3a685a13a12ee5c9
Instruction Fuzzy Hash: 4A124B756042019FE714DF14C981F2AB7E5EF88714F1888ACF98A9B3A2DB35ED41DB81

Function 0105091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010509C6
_wcslen.LIBCMT ref: 01050A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01050A54
_wcslen.LIBCMT ref: 01050A8A
_wcslen.LIBCMT ref: 01050B06
_wcslen.LIBCMT ref: 01050B81

Part of subcall function 00FDF9F2: _wcslen.LIBCMT ref: 00FDF9FD

Part of subcall function 01022BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01022BFA

Strings

EXPAND, xrefs: 01050BF8
SELECT, xrefs: 01050D11
UNCHECK, xrefs: 01050D3E
GETSELECTED, xrefs: 01050C4E
CHECK, xrefs: 01050A85, 01050AA0
GETTEXT, xrefs: 01050C97
EXISTS, xrefs: 01050B7C, 01050B97
COLLAPSE, xrefs: 01050B01, 01050B1C
ISCHECKED, xrefs: 01050CE1
GETITEMCOUNT, xrefs: 01050C1E
GETTOTALCOUNT, xrefs: 010509F2, 01050A17

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 451f02f370641aa4d40a2d92952e30288b1d0ee97fcb45654d10dbe1f85a4a8f
Instruction ID: 208526a9c86517e27150ffca01073d64b12efeec6e6b32476861f145fd2a1e46
Opcode Fuzzy Hash: 451f02f370641aa4d40a2d92952e30288b1d0ee97fcb45654d10dbe1f85a4a8f
Instruction Fuzzy Hash: 63E18C312083028FC754EF28C99196EB7E2BF88314B14899DF8D69B36AD735ED45CB91

Function 0104C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
_wcslen.LIBCMT ref: 0104C9F1
_wcslen.LIBCMT ref: 0104CA68
_wcslen.LIBCMT ref: 0104CA9E
_wcslen.LIBCMT ref: 0104CAF9
_wcslen.LIBCMT ref: 0104CB2F
_wcslen.LIBCMT ref: 0104CB7F

Strings

HKCU, xrefs: 0104CBCE
HKEY_LOCAL_MACHINE, xrefs: 0104CA62, 0104CA67
HKEY_USERS, xrefs: 0104CBDF
HKCC, xrefs: 0104CBAC
HKU, xrefs: 0104CBF0
HKLM, xrefs: 0104CA98, 0104CA9D
HKEY_CLASSES_ROOT, xrefs: 0104CAF3, 0104CAF8
HKEY_CURRENT_USER, xrefs: 0104CBBD
HKCR, xrefs: 0104CB29, 0104CB2E
HKEY_CURRENT_CONFIG, xrefs: 0104CB79, 0104CB7E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: aa8097ff272fdbefb87d527afbea3e3b6ed09f0a6ba49b7ad891324d21139d7f
Instruction ID: 9be53028545611bc08cccb4472303e906d30a10ed9bd862f963be31e4cebd335
Opcode Fuzzy Hash: aa8097ff272fdbefb87d527afbea3e3b6ed09f0a6ba49b7ad891324d21139d7f
Instruction Fuzzy Hash: A77116B26011268BEB21EE7CCED15BE33D1AF50658F1405B8F8D2A7286EA35CD54D3A0

Function 0105833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0105835A
_wcslen.LIBCMT ref: 0105836E
_wcslen.LIBCMT ref: 01058391
_wcslen.LIBCMT ref: 010583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0105361A,?), ref: 0105844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01058487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01058501
FreeLibrary.KERNEL32(?), ref: 0105850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105851D
DestroyIcon.USER32(?), ref: 0105852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01058549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01058555

Strings

.exe, xrefs: 01058388
.dll, xrefs: 010583AB
.icl, xrefs: 01058368

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 49cfcd308f113b8c976a0af7fe2e1b7589799a9d4a81ae9a48a9768e1f6cb27c
Instruction ID: 765c0a873130c83775b5ea9eca32b75b087f5a599f2cb9d46ca5eba66ea43632
Opcode Fuzzy Hash: 49cfcd308f113b8c976a0af7fe2e1b7589799a9d4a81ae9a48a9768e1f6cb27c
Instruction Fuzzy Hash: B561F371900305BAEB64DF65CC41BBF7BACBB08711F10864AFD95D60D1DB78A980DBA0

Function 00FC7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00FC78D9
#comments-start, xrefs: 00FC785F, 00FC78B1
#requireadmin, xrefs: 00FC77FF
Bad directive syntax error, xrefs: 0100519A
Unterminated group of comments, xrefs: 0100528C
#include-once, xrefs: 00FC782F
#ce, xrefs: 00FC78ED
#notrayicon, xrefs: 00FC77E7
#OnAutoItStartRegister, xrefs: 00FC7817
#pragma compile, xrefs: 00FC77D3
#include, xrefs: 00FC7847
Cannot parse #include, xrefs: 01005279
', xrefs: 01005169
#cs, xrefs: 00FC7873, 00FC78C5
", xrefs: 01005153

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d3a9a2083d8d2dd99778ca4f0d21c50387ef7af8b9e871afe5a4b89cc70abcd9
Instruction ID: fcf7541216843e4ce961162eba9dca8c2ad4a07aafccbcf76edea326698b87f6
Opcode Fuzzy Hash: d3a9a2083d8d2dd99778ca4f0d21c50387ef7af8b9e871afe5a4b89cc70abcd9
Instruction Fuzzy Hash: E9812B71A04306BBEB11BF65CE43FAF3BA9AF15340F044029F945AB192EB74D911EB91

Function 01033E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 01033EF8
_wcslen.LIBCMT ref: 01033F03
_wcslen.LIBCMT ref: 01033F5A
_wcslen.LIBCMT ref: 01033F98
GetDriveTypeW.KERNEL32(?), ref: 01033FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01034059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01034087

Strings

close cd wait, xrefs: 01034072
close, xrefs: 01033EFE, 01033F18
closed, xrefs: 01033F08, 01033F2D, 01033F46, 01033F7E, 01033F97
set cd door , xrefs: 01034028
wait, xrefs: 01034044
open, xrefs: 01033F54, 01033F59
type cdaudio alias cd wait, xrefs: 01034001
open , xrefs: 01033FE5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d4fd4af78cb9606132c8289d472f6a87ef520d2dae0eb8bb6e5d73bf93f5f71a
Instruction ID: 928fe97a2c441c14f9660a0b30213eabb2c709f09d88f73714a7e80b3975e737
Opcode Fuzzy Hash: d4fd4af78cb9606132c8289d472f6a87ef520d2dae0eb8bb6e5d73bf93f5f71a
Instruction Fuzzy Hash: 3F71AE326082069FC310EF28C98196AB7E8FF84758F40496DF8D69B252EB35ED45CB91

Function 01025A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01025A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01025A40
SetWindowTextW.USER32(?,?), ref: 01025A57
GetDlgItem.USER32(?,000003EA), ref: 01025A6C
SetWindowTextW.USER32(00000000,?), ref: 01025A72
GetDlgItem.USER32(?,000003E9), ref: 01025A82
SetWindowTextW.USER32(00000000,?), ref: 01025A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01025AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01025AC3
GetWindowRect.USER32(?,?), ref: 01025ACC
_wcslen.LIBCMT ref: 01025B33
SetWindowTextW.USER32(?,?), ref: 01025B6F
GetDesktopWindow.USER32 ref: 01025B75
GetWindowRect.USER32(00000000), ref: 01025B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01025BD3
GetClientRect.USER32(?,?), ref: 01025BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01025C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01025C2F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f1d53e02b00e1c7ea237f40532a1be3da06d89b6c5cf64ca27272bfea13c76b4
Instruction ID: 7ff1fa5800c433a0c72fffcbe8eccf487e91d5ad33c04a5d81c98ef64393458d
Opcode Fuzzy Hash: f1d53e02b00e1c7ea237f40532a1be3da06d89b6c5cf64ca27272bfea13c76b4
Instruction Fuzzy Hash: BD718D31A00719AFDB21DFA8CE85AAEBBF9FF48704F104958E582A3590D775E940CF64

Function 0103FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0103FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0103FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0103FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0103FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0103FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0103FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0103FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0103FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0103FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0103FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0103FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0103FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0103FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0103FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0103FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0103FECC
GetCursorInfo.USER32(?), ref: 0103FEDC
GetLastError.KERNEL32 ref: 0103FF1E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2f30bee8ff4d5fa9fb8b9521ba1ba94e14e8c2a3b8daaa49d0660f388a5dc615
Instruction ID: 1e5c71dac791a446fef0f247d1adadba8b7dc0628437c6af8c842c024573423f
Opcode Fuzzy Hash: 2f30bee8ff4d5fa9fb8b9521ba1ba94e14e8c2a3b8daaa49d0660f388a5dc615
Instruction Fuzzy Hash: ED4170B0D0831AAEDB109FBA8C89C5EBFE8FF44314B50456AE55CE7281DB78A501CF91

Function 00FE00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FE00C6

Part of subcall function 00FE00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0109070C,00000FA0,0EEDD5EB,?,?,?,?,010023B3,000000FF), ref: 00FE011C
Part of subcall function 00FE00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010023B3,000000FF), ref: 00FE0127
Part of subcall function 00FE00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010023B3,000000FF), ref: 00FE0138
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FE014E
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FE015C
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FE016A
Part of subcall function 00FE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FE0195
Part of subcall function 00FE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FE01A0

___scrt_fastfail.LIBCMT ref: 00FE00E7

Part of subcall function 00FE00A3: __onexit.LIBCMT ref: 00FE00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FE0122
WakeAllConditionVariable, xrefs: 00FE0162
kernel32.dll, xrefs: 00FE0133
InitializeConditionVariable, xrefs: 00FE0148
SleepConditionVariableCS, xrefs: 00FE0154

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f508665f89de6b53fbc5c8e87d7a221249f2c91e9e7bebd301fa7b848d8b3a02
Instruction ID: 2511fe76afbbba382923e06275fc1dc0fb7de6a578eeee1a36d893dc40ab9528
Opcode Fuzzy Hash: f508665f89de6b53fbc5c8e87d7a221249f2c91e9e7bebd301fa7b848d8b3a02
Instruction Fuzzy Hash: 9B212C32E453416BE7206B76AD05B2F73A9EB05B71F04012AF9819A248DFFD8C409BA0

Function 010230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102318D
_wcslen.LIBCMT ref: 010231F8

Strings

CLASS, xrefs: 01023188, 010231A5
CLASSNN, xrefs: 010231F3, 01023204
INSTANCE, xrefs: 01023453
TEXT, xrefs: 0102347C
REGEXPCLASS, xrefs: 01023255, 01023266
NAME, xrefs: 01023335, 01023346

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3a3ffb6b1447b27d11736a63240bababf3fccdeaa75e9626cbcd5dc7872798f7
Instruction ID: 157dacd096bfe8aba8e593b81ab71b9b1ab11b70027ab07d9ea76d88b2044e62
Opcode Fuzzy Hash: 3a3ffb6b1447b27d11736a63240bababf3fccdeaa75e9626cbcd5dc7872798f7
Instruction Fuzzy Hash: ABE10731A001369BCB599F68C851BEEFBB0BF08710F54819AE5D6FB241DF38A945DB90

Function 010344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0105CC08), ref: 01034527
_wcslen.LIBCMT ref: 0103453B
_wcslen.LIBCMT ref: 01034599
_wcslen.LIBCMT ref: 010345F4
_wcslen.LIBCMT ref: 0103463F
_wcslen.LIBCMT ref: 010346A7

Part of subcall function 00FDF9F2: _wcslen.LIBCMT ref: 00FDF9FD

GetDriveTypeW.KERNEL32(?,01086BF0,00000061), ref: 01034743

Strings

all, xrefs: 01034531, 01034536
cdrom, xrefs: 0103458F, 01034594
ramdisk, xrefs: 010346F1
removable, xrefs: 010345EA, 010345EF
fixed, xrefs: 01034635, 0103463A
unknown, xrefs: 01034708
network, xrefs: 0103469D, 010346A2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: fc16a745375c16ce59f4bcc49b5a50486f2be9dced94b41a62178de67609651d
Instruction ID: 645714274be73efbfdc883f0738085f816fea35adc374fdcd4b149801890ebcc
Opcode Fuzzy Hash: fc16a745375c16ce59f4bcc49b5a50486f2be9dced94b41a62178de67609651d
Instruction Fuzzy Hash: 95B1EF31A083029BC711DF28C891A6EBBE9BFD9764F40495DF5D6CB292D734D884CB92

Function 01043FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0105CC08), ref: 010440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0105CC08), ref: 010440F2
FreeLibrary.KERNEL32(00000000,?,0105CC08), ref: 0104413E
StringFromGUID2.OLE32(?,?,00000028,?,0105CC08), ref: 010441A8
SysFreeString.OLEAUT32(00000009), ref: 01044262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010442C8
SysFreeString.OLEAUT32(?), ref: 010442F2

Strings

GetModuleHandleExW, xrefs: 010440C7
kernel32.dll, xrefs: 010440B6

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: d1890d663c50f085719558b68e4589baca0aec9ac233b55347ab4364ddd5dc73
Instruction ID: 60443189394115612226b2d0a3a4f0478a6a81fe34c0b6a4ab9148020ba00517
Opcode Fuzzy Hash: d1890d663c50f085719558b68e4589baca0aec9ac233b55347ab4364ddd5dc73
Instruction Fuzzy Hash: 98123AB5A00205AFDB55CF58C9C4EAEBBB9FF85314F1480A8E945DB251CB31ED46CBA0

Function 00FC326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01091990), ref: 01002F8D
GetMenuItemCount.USER32(01091990), ref: 0100303D
GetCursorPos.USER32(?), ref: 01003081
SetForegroundWindow.USER32(00000000), ref: 0100308A
TrackPopupMenuEx.USER32(01091990,00000000,?,00000000,00000000,00000000), ref: 0100309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010030A9

Strings

0, xrefs: 00FC327D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 68adfe2c4b685508efa959e53dd13e923f3b59018f63e3f09d928a1a7812451b
Instruction ID: 94b807a8fd8afb0a3495e064716f8d8ed9aa1ff02ef178209c3c723f8e681e13
Opcode Fuzzy Hash: 68adfe2c4b685508efa959e53dd13e923f3b59018f63e3f09d928a1a7812451b
Instruction Fuzzy Hash: BE713A31640316BEFB329F68CD49FAABFA8FF003A4F20421AF6556A1D0C7B1A950D750

Function 01056CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01056DEB

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01056E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01056E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01056E94
DestroyWindow.USER32(?), ref: 01056EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 01056EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01056EFD
GetDesktopWindow.USER32 ref: 01056F16
GetWindowRect.USER32(00000000), ref: 01056F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01056F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01056F4D

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

Strings

0, xrefs: 01056D98
tooltips_class32, xrefs: 01056E58, 01056EDD

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f2beec0feb9b57d40df6fe82233408117ff30e3d351cff38dbf19d729774044b
Instruction ID: 2998fdbf7e703a84f0a3a86631c9f0c7ebb6f6908ec9de52199693b2f372a2f6
Opcode Fuzzy Hash: f2beec0feb9b57d40df6fe82233408117ff30e3d351cff38dbf19d729774044b
Instruction Fuzzy Hash: C6716970504345AFEB61CF18C844FABBBE9FB89304F84055DFAD987261C776A906DB11

Function 0105911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DragQueryPoint.SHELL32(?,?), ref: 01059147

Part of subcall function 01057674: ClientToScreen.USER32(?,?), ref: 0105769A
Part of subcall function 01057674: GetWindowRect.USER32(?,?), ref: 01057710
Part of subcall function 01057674: PtInRect.USER32(?,?,01058B89), ref: 01057720

SendMessageW.USER32(?,000000B0,?,?), ref: 010591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01059225
SendMessageW.USER32(?,000000B0,?,?), ref: 0105923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01059255
SendMessageW.USER32(?,000000B1,?,?), ref: 01059277
DragFinish.SHELL32(?), ref: 0105927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01059371

Strings

@GUI_DRAGID, xrefs: 010592E9
@GUI_DROPID, xrefs: 0105929E
@GUI_DRAGFILE, xrefs: 01059320

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5f247743e2ad3d32ee3e69062d53b9fb5b37aa0dc7a07078ea60e1ece551d381
Instruction ID: 58f806bd275674eae79d61fba095c3c1e0ee32154f1bb3667fae54ca9072feff
Opcode Fuzzy Hash: 5f247743e2ad3d32ee3e69062d53b9fb5b37aa0dc7a07078ea60e1ece551d381
Instruction Fuzzy Hash: 5E61AC71108302AFD701DF60DD89EAFBBE8EF88350F00091EF595931A1DB75AA49CB62

Function 0103C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0103C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0103C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0103C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0103C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0103C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0103C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0103C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0103C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0103C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0103C5F0
InternetCloseHandle.WININET(00000000), ref: 0103C5FB

Strings

, xrefs: 0103C575

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4bd63c451269309e330bd849329dbff0aba286804d06125490a384e921721c2b
Instruction ID: d214f0364ae95bed53927da43e7ca1b09b9085b1311a5eed64de401775838c2c
Opcode Fuzzy Hash: 4bd63c451269309e330bd849329dbff0aba286804d06125490a384e921721c2b
Instruction Fuzzy Hash: D3512AB1500709BFFB219F65CA88AAB7BFCFB48754F00441AF986E6640DB35D944DB60

Function 0105856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 01058592
GetFileSize.KERNEL32(00000000,00000000), ref: 010585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 010585AD
CloseHandle.KERNEL32(00000000), ref: 010585BA
GlobalLock.KERNEL32(00000000), ref: 010585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 010585D7
GlobalUnlock.KERNEL32(00000000), ref: 010585E0
CloseHandle.KERNEL32(00000000), ref: 010585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 010585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0105FC38,?), ref: 01058611
GlobalFree.KERNEL32(00000000), ref: 01058621
GetObjectW.GDI32(?,00000018,000000FF), ref: 01058641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01058671
DeleteObject.GDI32(00000000), ref: 01058699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010586AF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b742781240606bec15c6863a0153ccbe0993fc23b1f561a7e4da60026cd43654
Instruction ID: 47d618dd90bcdd9f69d35c5afe450d3c0a87b5c920e8cd293da26d7c6663db9f
Opcode Fuzzy Hash: b742781240606bec15c6863a0153ccbe0993fc23b1f561a7e4da60026cd43654
Instruction Fuzzy Hash: C1411875600308AFEB619FA9CD48EAB7BBCEB89755F008059FD8AE7250D7359941CB20

Function 010314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01031502
VariantCopy.OLEAUT32(?,?), ref: 0103150B
VariantClear.OLEAUT32(?), ref: 01031517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010315FB
VarR8FromDec.OLEAUT32(?,?), ref: 01031657
VariantInit.OLEAUT32(?), ref: 01031708
SysFreeString.OLEAUT32(?), ref: 0103178C
VariantClear.OLEAUT32(?), ref: 010317D8
VariantClear.OLEAUT32(?), ref: 010317E7
VariantInit.OLEAUT32(00000000), ref: 01031823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01031625
Default, xrefs: 010316AF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5795a7a1e7d76d8eb78b67f1c98120f22161943978f28264ce6029727d61409e
Instruction ID: da47acbff63726c8e79584fca27e35c74f55a36eff67986261357d062c3f2068
Opcode Fuzzy Hash: 5795a7a1e7d76d8eb78b67f1c98120f22161943978f28264ce6029727d61409e
Instruction Fuzzy Hash: 83D1F531A00215DBEB10DF65D885B7DBBF9BF49700F08849AF596AB2C0DB38E845DB61

Function 0104B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0104B80A
RegCloseKey.ADVAPI32(?), ref: 0104B87E
RegCloseKey.ADVAPI32(?), ref: 0104B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0104B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0104B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0104B922
FreeLibrary.KERNEL32(00000000), ref: 0104B983
RegCloseKey.ADVAPI32(00000000), ref: 0104B994

Strings

advapi32.dll, xrefs: 0104B8ED
RegDeleteKeyExW, xrefs: 0104B8FE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4acf04ee6f46b210fb4464dd87deb371c84a1f383c8f767a238411efcdbf15c8
Instruction ID: 0fa857f958cc23a1109c60b9f527a32efbcf6514700b0bbb4236de3c20fcec74
Opcode Fuzzy Hash: 4acf04ee6f46b210fb4464dd87deb371c84a1f383c8f767a238411efcdbf15c8
Instruction Fuzzy Hash: EAC19074208302AFE714DF18C5D5F2ABBE5BF85318F1884ACF5994B292CB75E845CB91

Function 0104255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010425E8
CreateCompatibleDC.GDI32(?), ref: 010425F4
SelectObject.GDI32(00000000,?), ref: 01042601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0104266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010426D0
SelectObject.GDI32(?,?), ref: 010426D8
DeleteObject.GDI32(?), ref: 010426E1
DeleteDC.GDI32(?), ref: 010426E8
ReleaseDC.USER32(00000000,?), ref: 010426F3

Strings

(, xrefs: 0104268D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4a7ca40c10b34b94f5282badf173e0db51610d2255cd57aca5d52a9e521685c4
Instruction ID: ebb7516b21aac65492506810bbd7beedf6809b38409b2a7633bea89a13f26e41
Opcode Fuzzy Hash: 4a7ca40c10b34b94f5282badf173e0db51610d2255cd57aca5d52a9e521685c4
Instruction Fuzzy Hash: C06103B5E00309EFDF15CFA4D984AAEBBB9FF48310F208529E996A7240D735A940CF54

Function 00FFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FFDAA1

Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD659
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD66B
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD67D
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD68F
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6A1
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6B3
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6C5
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6D7
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6E9
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6FB
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD70D
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD71F
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD731

_free.LIBCMT ref: 00FFDA96

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFDAB8
_free.LIBCMT ref: 00FFDACD
_free.LIBCMT ref: 00FFDAD8
_free.LIBCMT ref: 00FFDAFA
_free.LIBCMT ref: 00FFDB0D
_free.LIBCMT ref: 00FFDB1B
_free.LIBCMT ref: 00FFDB26
_free.LIBCMT ref: 00FFDB5E
_free.LIBCMT ref: 00FFDB65
_free.LIBCMT ref: 00FFDB82
_free.LIBCMT ref: 00FFDB9A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1955f9c0b15aff1182d4f5299f420dee94cb5b24986574eeb4c479b1ed60a499
Instruction ID: 7db2b4ce6ed656709ca0ed45ad540b207daa4ad072b66c91bfe431cbaa6a346c
Opcode Fuzzy Hash: 1955f9c0b15aff1182d4f5299f420dee94cb5b24986574eeb4c479b1ed60a499
Instruction Fuzzy Hash: BF316B31A442099FEB31AA38EC45B7A77EAFF40320F104519E248D71B2DB79AC40B724

Function 0102365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0102369C
_wcslen.LIBCMT ref: 010236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01023797
GetClassNameW.USER32(?,?,00000400), ref: 0102380C
GetDlgCtrlID.USER32(?), ref: 0102385D
GetWindowRect.USER32(?,?), ref: 01023882
GetParent.USER32(?), ref: 010238A0
ScreenToClient.USER32(00000000), ref: 010238A7
GetClassNameW.USER32(?,?,00000100), ref: 01023921
GetWindowTextW.USER32(?,?,00000400), ref: 0102395D

Strings

%s%u, xrefs: 01023734

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 549a7e2af6be28e3d60541bcd269c754679dd638e80658d298985cc891e1e990
Instruction ID: f04cb1c835e5a123f15fbc653c471f54f00fc338d8770e09be0f751137380c82
Opcode Fuzzy Hash: 549a7e2af6be28e3d60541bcd269c754679dd638e80658d298985cc891e1e990
Instruction Fuzzy Hash: 5591D371204316AFE719DE28C884FAAF7E9FF49344F008519FAD9DA180DB38E545CBA1

Function 01024954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01024994
GetWindowTextW.USER32(?,?,00000400), ref: 010249DA
_wcslen.LIBCMT ref: 010249EB
CharUpperBuffW.USER32(?,00000000), ref: 010249F7
_wcsstr.LIBVCRUNTIME ref: 01024A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01024A64
GetWindowTextW.USER32(?,?,00000400), ref: 01024A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01024AE6
GetClassNameW.USER32(?,?,00000400), ref: 01024B20
GetWindowRect.USER32(?,?), ref: 01024B8B

Strings

ThumbnailClass, xrefs: 01024A6F, 01024AF1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 415a02b0e6b966f3e4c4fca31f6f09ea99aeb78e4baf5b74736d123e4424dfb5
Instruction ID: a9c8739b65da1caf8f69650002a3276102565b0379487eaee5a99d058541b12a
Opcode Fuzzy Hash: 415a02b0e6b966f3e4c4fca31f6f09ea99aeb78e4baf5b74736d123e4424dfb5
Instruction Fuzzy Hash: DA91CF311043269FEB15DF18C985FAA7BE8FF84314F0484A9EEC5DA086DB34E945CBA1

Function 0102BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01091990,000000FF,00000000,00000030), ref: 0102BFAC
SetMenuItemInfoW.USER32(01091990,00000004,00000000,00000030), ref: 0102BFE1
Sleep.KERNEL32(000001F4), ref: 0102BFF3
GetMenuItemCount.USER32(?), ref: 0102C039
GetMenuItemID.USER32(?,00000000), ref: 0102C056
GetMenuItemID.USER32(?,-00000001), ref: 0102C082
GetMenuItemID.USER32(?,?), ref: 0102C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0102C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102C145

Strings

0, xrefs: 0102BF3D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: cbf29196f5765641d1b1365f9c931d5c3d813a7531203936a566f2789d613859
Instruction ID: eeffa7f55da7f0aeac87b5a553c27f4a9b75233f0f55a82e10effd8b8a93c42d
Opcode Fuzzy Hash: cbf29196f5765641d1b1365f9c931d5c3d813a7531203936a566f2789d613859
Instruction Fuzzy Hash: B1617270900366AFFF25CF58CA89AEE7FB8EF46344F144155F991A3281C739A944CB60

Function 0104CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0104CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0104CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0104CD48

Part of subcall function 0104CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0104CCAA
Part of subcall function 0104CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0104CCBD
Part of subcall function 0104CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0104CCCF
Part of subcall function 0104CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0104CD05
Part of subcall function 0104CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0104CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0104CCF3

Strings

advapi32.dll, xrefs: 0104CCB8
RegDeleteKeyExW, xrefs: 0104CCC9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9470f3e7b70642ccab4c70a4eefa359033d736cc3827021c0d2e3a7e669e0fb9
Instruction ID: d70d66178d4370d11565521447afd4da8bc7631945d02a0538596e4bb4f68a71
Opcode Fuzzy Hash: 9470f3e7b70642ccab4c70a4eefa359033d736cc3827021c0d2e3a7e669e0fb9
Instruction Fuzzy Hash: E23170B1902219BBE7219B55DEC8EFFBBBCEF06650F000165F981E2104DA349A45DBA4

Function 01033D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01033D40
_wcslen.LIBCMT ref: 01033D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01033D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01033DBE
RemoveDirectoryW.KERNEL32(?), ref: 01033DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01033E55
CloseHandle.KERNEL32(00000000), ref: 01033E60
CloseHandle.KERNEL32(00000000), ref: 01033E6B

Strings

\??\%s, xrefs: 01033D5B
:, xrefs: 01033D82
\, xrefs: 01033D77

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 86711502de403e5351f2bb550074e2ee27df764628bd61594cfa5f2305068d3a
Instruction ID: e51e08adb5e48bea57eca0a913d0d69b6654cc5a1135609973e300aa1b1a0420
Opcode Fuzzy Hash: 86711502de403e5351f2bb550074e2ee27df764628bd61594cfa5f2305068d3a
Instruction Fuzzy Hash: 7731C471900209ABEB21AFA4DC89FEF37BDFF88740F1040B6F649D6155EB7492848B24

Function 0102E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0102E6B4

Part of subcall function 00FDE551: timeGetTime.WINMM(?,?,0102E6D4), ref: 00FDE555

Sleep.KERNEL32(0000000A), ref: 0102E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0102E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0102E727
SetActiveWindow.USER32 ref: 0102E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0102E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0102E773
Sleep.KERNEL32(000000FA), ref: 0102E77E
IsWindow.USER32 ref: 0102E78A
EndDialog.USER32(00000000), ref: 0102E79B

Strings

BUTTON, xrefs: 0102E719

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9d4e02a73a708b4a61b158cc85950137f5fa99d00c911261b89d7e78d28663cc
Instruction ID: d6571726963978869342d59d3dda989e746c4162cf3a38f111d53dc79ad34332
Opcode Fuzzy Hash: 9d4e02a73a708b4a61b158cc85950137f5fa99d00c911261b89d7e78d28663cc
Instruction Fuzzy Hash: 0021A170248315BFFB315F64ED98A2A3BADF74D348B144425F5C281649DB7BAC108B64

Function 0102E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0102EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0102EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0102EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0102EAA7

Strings

alias PlayMe, xrefs: 0102EA36
play PlayMe wait, xrefs: 0102EA91
status PlayMe mode, xrefs: 0102EA58
close PlayMe, xrefs: 0102EA6E, 0102EA9B
play PlayMe, xrefs: 0102EAA2
open , xrefs: 0102EA0C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8e5376aeba2ca477589517177f46567dd008a95312eac14711dcaa38388e7f9e
Instruction ID: e04b0ee61003233abb3f7b24d09630a42612e7b1eb6dd09245dc9951f44e6f26
Opcode Fuzzy Hash: 8e5376aeba2ca477589517177f46567dd008a95312eac14711dcaa38388e7f9e
Instruction Fuzzy Hash: C111A331A9426A79E720B7A6DD4AEFF7ABCEBD1B00F40046DB4C1A60D1EEA11905C5B0

Function 01029F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0102A012
SetKeyboardState.USER32(?), ref: 0102A07D
GetAsyncKeyState.USER32(000000A0), ref: 0102A09D
GetKeyState.USER32(000000A0), ref: 0102A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0102A0E3
GetKeyState.USER32(000000A1), ref: 0102A0F4
GetAsyncKeyState.USER32(00000011), ref: 0102A120
GetKeyState.USER32(00000011), ref: 0102A12E
GetAsyncKeyState.USER32(00000012), ref: 0102A157
GetKeyState.USER32(00000012), ref: 0102A165
GetAsyncKeyState.USER32(0000005B), ref: 0102A18E
GetKeyState.USER32(0000005B), ref: 0102A19C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 99b40e338a74af86013de9780664d49159dddeb26aa430522454a5d979076a0e
Instruction ID: 48dd6d7bd2e032e7cc91d601c9223b8b5028e1e7d68e3838e3fc1219a3b0a850
Opcode Fuzzy Hash: 99b40e338a74af86013de9780664d49159dddeb26aa430522454a5d979076a0e
Instruction Fuzzy Hash: 8E510830A047A969FBB5DBA48410BEBBFF49F02384F0885D9D6C2575C3DE54A64CCB61

Function 01025CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01025CE2
GetWindowRect.USER32(00000000,?), ref: 01025CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01025D59
GetDlgItem.USER32(?,00000002), ref: 01025D69
GetWindowRect.USER32(00000000,?), ref: 01025D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01025DCF
GetDlgItem.USER32(?,000003E9), ref: 01025DDD
GetWindowRect.USER32(00000000,?), ref: 01025DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01025E31
GetDlgItem.USER32(?,000003EA), ref: 01025E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01025E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01025E67

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6faf1a6117d570b4e4603b9aa32ebc74046d672754c1d00a0fcc436e33f7fcbd
Instruction ID: 152d405f33e426f05fb9bf38c35204dd6286ee1bc850d98a1e56467df85a8817
Opcode Fuzzy Hash: 6faf1a6117d570b4e4603b9aa32ebc74046d672754c1d00a0fcc436e33f7fcbd
Instruction Fuzzy Hash: 6F511E71A00319AFDF18DF68DD89AAE7BF9FB48300F108169F555E6294D774AE00CB60

Function 00FD8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD8BE8,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8FC5

DestroyWindow.USER32(?), ref: 00FD8C81
KillTimer.USER32(00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01016973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 010169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 010169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000), ref: 010169D4
DeleteObject.GDI32(00000000), ref: 010169E6

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b04d44c8731998eab72e8e84516732f01e919235581339a806174416fffe5eeb
Instruction ID: 30e9dc07e8e627d2688db4b622be3dc4e554fd3125bef301a950b42bc8c33556
Opcode Fuzzy Hash: b04d44c8731998eab72e8e84516732f01e919235581339a806174416fffe5eeb
Instruction Fuzzy Hash: ED61C331511701DFDB369F18DA4872A77F6FB40362F18455EE0C28B698CB7AA882EF50

Function 00FD9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

GetSysColor.USER32(0000000F), ref: 00FD9862

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 88f5cb535a0d9298f08fff5202eae91266199ff862cccb519f149edba08aa251
Instruction ID: 2aa66d14a289d063eb1ba67b2a9a8cd055d27dcee763063b30a26a33fb7344c2
Opcode Fuzzy Hash: 88f5cb535a0d9298f08fff5202eae91266199ff862cccb519f149edba08aa251
Instruction Fuzzy Hash: 5641C331508740AFEF305F789884BBA3BAAAB06731F584646F9E2872D5C7B59841FB11

Function 010296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0100F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01029717
LoadStringW.USER32(00000000,?,0100F7F8,00000001), ref: 01029720

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0100F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01029742
LoadStringW.USER32(00000000,?,0100F7F8,00000001), ref: 01029745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01029866

Strings

^ ERROR, xrefs: 010297FB
%s (%d) : ==> %s: %s %s, xrefs: 0102984A
Error: , xrefs: 0102981D
Line %d:, xrefs: 010297A0
Line %d (File "%s"):, xrefs: 0102978F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ffa372f08081040bd7804bbf14dc1b069da316e974d45ad716ae412981e56cb
Instruction ID: d0d856a784c6ff3ffb637b14b5e06494febdff46d47fffb4f78be28fada4c86d
Opcode Fuzzy Hash: 3ffa372f08081040bd7804bbf14dc1b069da316e974d45ad716ae412981e56cb
Instruction Fuzzy Hash: 1D417E7290422AAADB04FBE0DE47EEE7779AF14344F504029F24172091EF796F48DB61

Function 010206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01020804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0102082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01020837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102083C

Strings

SOFTWARE\Classes\, xrefs: 0102070E
\CLSID, xrefs: 01020724
\IPC$, xrefs: 01020784

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8123605bb68f659bc47b044cb37d4b705b91058f7bc3df1294c30f2f391e9bd9
Instruction ID: 92d6a2426e48097662593d5c5038d8dd15865b5a0db6f358ea0d56342bb44fa4
Opcode Fuzzy Hash: 8123605bb68f659bc47b044cb37d4b705b91058f7bc3df1294c30f2f391e9bd9
Instruction Fuzzy Hash: 00413772C10229ABDF21EBA4DD86DEEB7B8FF04350B044169F981A3151EB759E04DBA0

Function 01053F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0105403B
CreateCompatibleDC.GDI32(00000000), ref: 01054042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01054055
SelectObject.GDI32(00000000,00000000), ref: 0105405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01054068
DeleteDC.GDI32(00000000), ref: 01054072
GetWindowLongW.USER32(?,000000EC), ref: 0105407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01054092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0105409E

Strings

static, xrefs: 01053FD3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b07eac17300b8d2ce20a73a3382a2afa1f426d3db3e0a0160f57451705dcecf2
Instruction ID: d8e68cd59dc8e5821099e51a7b89c26d5c6fd02a47927798198c7b2b39b33501
Opcode Fuzzy Hash: b07eac17300b8d2ce20a73a3382a2afa1f426d3db3e0a0160f57451705dcecf2
Instruction Fuzzy Hash: 70315932100315ABEF629FA8CD48FDB3BA8EF0D324F100215FA99E6090D73AD850DB64

Function 01043C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01043C5C
CoInitialize.OLE32(00000000), ref: 01043C8A
CoUninitialize.OLE32 ref: 01043C94
_wcslen.LIBCMT ref: 01043D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01043DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01043ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01043F0E
CoGetObject.OLE32(?,00000000,0105FB98,?), ref: 01043F2D
SetErrorMode.KERNEL32(00000000), ref: 01043F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01043FC4
VariantClear.OLEAUT32(?), ref: 01043FD8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d29067689e8e61e7ec108c0c3f31c7f1faf87ab2ef9adbe86f17fd21fe310d29
Instruction ID: f31a65d9ff02bcd6794bb1a86086818772b40cd6851576adb90e5d41a4492093
Opcode Fuzzy Hash: d29067689e8e61e7ec108c0c3f31c7f1faf87ab2ef9adbe86f17fd21fe310d29
Instruction Fuzzy Hash: 64C143B1608316AFD710DF68C98492BBBE9FF89744F00496DF98A9B250DB31ED05CB52

Function 01037A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01037AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01037B8F
SHGetDesktopFolder.SHELL32(?), ref: 01037BA3
CoCreateInstance.OLE32(0105FD08,00000000,00000001,01086E6C,?), ref: 01037BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01037C74
CoTaskMemFree.OLE32(?,?), ref: 01037CCC
SHBrowseForFolderW.SHELL32(?), ref: 01037D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01037D7A
CoTaskMemFree.OLE32(00000000), ref: 01037D81
CoTaskMemFree.OLE32(00000000), ref: 01037DD6
CoUninitialize.OLE32 ref: 01037DDC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 41ffefbb38d232b7fc18092213f32ad5134847ce1565532d75af07de0b6a9bf9
Instruction ID: 0585d6f8629ffab73b71ea21b4011b4f3399c165381abb8405ef044db60345ef
Opcode Fuzzy Hash: 41ffefbb38d232b7fc18092213f32ad5134847ce1565532d75af07de0b6a9bf9
Instruction Fuzzy Hash: C7C15B75A00209AFDB14DF64C988DAEBBF9FF48304B148498E955DB361DB35ED41CB90

Function 0105541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01055504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01055515
CharNextW.USER32(00000158), ref: 01055544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01055585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0105559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010555AC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f15ae9baa229bc82e89d979833c312dcab570878dbbbd6c5b5ae304626bafea6
Instruction ID: 4caaddc48938b08d9bb41b27b7040c4fff8d0932ab18e2641bc1d4b553a5bb73
Opcode Fuzzy Hash: f15ae9baa229bc82e89d979833c312dcab570878dbbbd6c5b5ae304626bafea6
Instruction Fuzzy Hash: B2616034A00209ABEFA19F54CC849FF7FB9FB0A724F004145FAA5AB290D7799641DF60

Function 0101FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0101FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0101FB08
VariantInit.OLEAUT32(?), ref: 0101FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0101FB3A
VariantCopy.OLEAUT32(?,?), ref: 0101FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0101FBA1
VariantClear.OLEAUT32(?), ref: 0101FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0101FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101FBCC
VariantClear.OLEAUT32(?), ref: 0101FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101FBE9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 31b1c4a3aa9bd10b4595466aa01117d514fb07db3dc2d297ea3eb4507bf31cdd
Instruction ID: f33dd4b8a5946974266e18c8b704f3b5cfac0fe32dd8c7b44c6fb620ce0b2bad
Opcode Fuzzy Hash: 31b1c4a3aa9bd10b4595466aa01117d514fb07db3dc2d297ea3eb4507bf31cdd
Instruction Fuzzy Hash: 10417175A0031A9FDB10DF68C894DEEBFB9FF48344F008059E985A7255CB39A946CFA0

Function 01029C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01029CA1
GetAsyncKeyState.USER32(000000A0), ref: 01029D22
GetKeyState.USER32(000000A0), ref: 01029D3D
GetAsyncKeyState.USER32(000000A1), ref: 01029D57
GetKeyState.USER32(000000A1), ref: 01029D6C
GetAsyncKeyState.USER32(00000011), ref: 01029D84
GetKeyState.USER32(00000011), ref: 01029D96
GetAsyncKeyState.USER32(00000012), ref: 01029DAE
GetKeyState.USER32(00000012), ref: 01029DC0
GetAsyncKeyState.USER32(0000005B), ref: 01029DD8
GetKeyState.USER32(0000005B), ref: 01029DEA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2915a5143f28e70b1948031c03be679613acdbdc56a50ece31853407706ba95b
Instruction ID: 26a567332e872774f4a7bf91b81aa6c8a958fa01838cd6f6ea70f0b7537fffce
Opcode Fuzzy Hash: 2915a5143f28e70b1948031c03be679613acdbdc56a50ece31853407706ba95b
Instruction Fuzzy Hash: 4C41D5345047F969FFB2966884043B6BEE06F0134CF0480DEDAC6575C3DBA595C8C7A2

Function 0104055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010405BC
inet_addr.WSOCK32(?), ref: 0104061C
gethostbyname.WSOCK32(?), ref: 01040628
IcmpCreateFile.IPHLPAPI ref: 01040636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010407B9
WSACleanup.WSOCK32 ref: 010407BF

Strings

Ping, xrefs: 01040676

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 37189adaf44e7b1318185cb300ac38f4b2492c93d09909936212af383dfe92a5
Instruction ID: 2ee0e32b7438322d7c5924cde3041e351450c91a41e1ad7db047c7b6cc484e62
Opcode Fuzzy Hash: 37189adaf44e7b1318185cb300ac38f4b2492c93d09909936212af383dfe92a5
Instruction Fuzzy Hash: 4291AF759043019FD320DF19C989F5ABBE0FF44318F0485A9F6AA9B6A6C735E845CF82

Function 01048CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01048CF3

Part of subcall function 01028E54: _wcslen.LIBCMT ref: 01028E77

_wcslen.LIBCMT ref: 01048D4E
_wcslen.LIBCMT ref: 01048D9C
_wcslen.LIBCMT ref: 01048DDC
_wcslen.LIBCMT ref: 01048E6E

Strings

stdcall, xrefs: 01048DD6, 01048DDB
winapi, xrefs: 01048D96, 01048D9B
none, xrefs: 01048E65, 01048E6A
cdecl, xrefs: 01048D48, 01048D4D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0c0c81302d8562f924d17fe791070c11fc8997e02ed0fac51adbd006e719d79b
Instruction ID: 94262c254dd44e50ca01705a2220f73d68e2a0edacffe26c5c1922a18bd2356a
Opcode Fuzzy Hash: 0c0c81302d8562f924d17fe791070c11fc8997e02ed0fac51adbd006e719d79b
Instruction Fuzzy Hash: 6851F3B1A000169BCB24EFADC9809BEB7E5BF54324B20867AE4A6E7285D734DD40C790

Function 0104372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01043774
CoUninitialize.OLE32 ref: 0104377F
CoCreateInstance.OLE32(?,00000000,00000017,0105FB78,?), ref: 010437D9
IIDFromString.OLE32(?,?), ref: 0104384C
VariantInit.OLEAUT32(?), ref: 010438E4
VariantClear.OLEAUT32(?), ref: 01043936

Strings

NULL Pointer assignment, xrefs: 0104381E
Invalid parameter, xrefs: 01043865
Failed to create object, xrefs: 010437E4, 0104389A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b6e2ddf3740c231617acdf34ed24acd6533979be3180a7552932ffda0f91a709
Instruction ID: 22041246f30a22d67ca3cd9d22a66e830c723a5951a5e554ff4969a5d86f3afd
Opcode Fuzzy Hash: b6e2ddf3740c231617acdf34ed24acd6533979be3180a7552932ffda0f91a709
Instruction Fuzzy Hash: D0616CB0608311AFE321DF54C989B6ABBE8FF49714F00086DF9C59B291C774E948CB92

Function 01033388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010333CF

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010333F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 01033504
"%s" (%d) : ==> %s:, xrefs: 01033522
Incorrect parameters to object property !, xrefs: 010334AB
Error: , xrefs: 010334D1
^ ERROR , xrefs: 0103349E
Line %d (File "%s"):, xrefs: 01033443, 0103345C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4df17b82b60330386847a3a137bbd962ce7dd2177d564709b5d0263c17bfddc5
Instruction ID: 5565e6e7e224be49b43ef58daa33b66f1af3617cd0335cffee2ae2a60ad6bf4c
Opcode Fuzzy Hash: 4df17b82b60330386847a3a137bbd962ce7dd2177d564709b5d0263c17bfddc5
Instruction Fuzzy Hash: 8551BE3190421BAADF15EBA0CE47EEEB7B9BF14340F108169F54576091EB3A2F58DB60

Function 0102B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0102B5FC
_wcslen.LIBCMT ref: 0102B608
_wcslen.LIBCMT ref: 0102B64D
_wcslen.LIBCMT ref: 0102B68C
_wcslen.LIBCMT ref: 0102B6C7

Strings

REMOVE, xrefs: 0102B602, 0102B607
APPEND, xrefs: 0102B6C1, 0102B6C6
EXISTS, xrefs: 0102B686, 0102B68B
KEYS, xrefs: 0102B647, 0102B64C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: eddc8079df35a4f65573129da4e551c06014d36cacaf2cf365a290b480076fe1
Instruction ID: 9fc4f7925e3779ed4af598f984ee0832a66ed6f7d97ba778ebb8645af04a2c0a
Opcode Fuzzy Hash: eddc8079df35a4f65573129da4e551c06014d36cacaf2cf365a290b480076fe1
Instruction Fuzzy Hash: 81412832A000378BCB306F7DCC945BE7BE5BF64654B1441A9E4E2D7281F639C981C390

Function 01035393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01035416
GetLastError.KERNEL32 ref: 01035420
SetErrorMode.KERNEL32(00000000,READY), ref: 010354A7

Strings

READONLY, xrefs: 01035452
NOTREADY, xrefs: 0103544B
INVALID, xrefs: 01035459
UNKNOWN, xrefs: 01035444
READY, xrefs: 01035460, 01035468

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: be03311f28779749e681470ab5832616e8086f68ae357d4b8c83d3d47e095870
Instruction ID: 48a6e9eba586b5d85854089bf24d31fec6088fbeca3d9e0d218ca3612a31a93a
Opcode Fuzzy Hash: be03311f28779749e681470ab5832616e8086f68ae357d4b8c83d3d47e095870
Instruction Fuzzy Hash: A431D335A002059FD715DF68C985FAA7BF8FF85309F048099E585CB2A2DB76DD42CB90

Function 01053C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01053C79
SetMenu.USER32(?,00000000), ref: 01053C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01053D10
IsMenu.USER32(?), ref: 01053D24
CreatePopupMenu.USER32 ref: 01053D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01053D5B
DrawMenuBar.USER32 ref: 01053D63

Strings

F, xrefs: 01053D4E
0, xrefs: 01053C54

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 47a6b2d5e9c34c4fcebc555a98073588d209fa25a8ec9b57f5dbb809fb9dc1d8
Instruction ID: 04148d6fe2c16363409217409e7db863d892b44cec3c7b792229cf55a485de64
Opcode Fuzzy Hash: 47a6b2d5e9c34c4fcebc555a98073588d209fa25a8ec9b57f5dbb809fb9dc1d8
Instruction Fuzzy Hash: 7E415C75A01309AFEB64DF94E944B9A7BF9FF49354F040068EE869B350D735A910CB60

Function 01021EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 01021F64
GetDlgCtrlID.USER32 ref: 01021F6F
GetParent.USER32 ref: 01021F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 01021F8E
GetDlgCtrlID.USER32(?), ref: 01021F97
GetParent.USER32(?), ref: 01021FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 01021FAE

Strings

ComboBox, xrefs: 01021EEC
ListBox, xrefs: 01021F21

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1d1e760794a1baa7861174b3e91a699eb0abbcea61ea867a256f27fe79c62432
Instruction ID: 5d24f25f310ced39a65197146877f66f421599b62c1bc43841e2af3da15d1569
Opcode Fuzzy Hash: 1d1e760794a1baa7861174b3e91a699eb0abbcea61ea867a256f27fe79c62432
Instruction Fuzzy Hash: 2D21C270904228BBDF14AFA4CD85EEEBBB8EF19310F000159F9A167291CB795518DB70

Function 01021FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01022043
GetDlgCtrlID.USER32 ref: 0102204E
GetParent.USER32 ref: 0102206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0102206D
GetDlgCtrlID.USER32(?), ref: 01022076
GetParent.USER32(?), ref: 0102208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0102208D

Strings

ComboBox, xrefs: 01021FCD
ListBox, xrefs: 01022002

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1689a49dae17cfe0a41bf7dd0f4065c3a631c553495322c69504265e0b0266eb
Instruction ID: 781f48905ad5444b4773d9e201d680c6d42f80b03759ee0b3ed33c0bba8f35cc
Opcode Fuzzy Hash: 1689a49dae17cfe0a41bf7dd0f4065c3a631c553495322c69504265e0b0266eb
Instruction Fuzzy Hash: 0221CF71900228BBDF10AFA4CD89EEEBFB9EF19300F000459F991A7192CA7D5518DB60

Function 01053A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01053A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01053AA0
GetWindowLongW.USER32(?,000000F0), ref: 01053AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01053AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01053B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01053BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01053BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01053BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01053BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01053C13

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c1315efd01d67d187dd1626155eb5d4e423ad0221aba4eaff9d7f1f8f95b7e45
Instruction ID: 3ef2263a9acbe68eb9d8ddf8d6e44f88fc32209227154796f8623ba1fd012a63
Opcode Fuzzy Hash: c1315efd01d67d187dd1626155eb5d4e423ad0221aba4eaff9d7f1f8f95b7e45
Instruction Fuzzy Hash: 3A617D75A00249AFEB21DF68CC81EEE77F8FB09710F100199FA55EB291D774A941DB50

Function 0102B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0102B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B165
GetWindowThreadProcessId.USER32(00000000), ref: 0102B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0102B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B21D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: aeaaa9867708ce28470e54b8da47532f259a0a1bc3a227c6c344c2930c0078c7
Instruction ID: f84d306012f31faf402c357ace7f3b8cf80ed2afd664db6efed98c31cc15b807
Opcode Fuzzy Hash: aeaaa9867708ce28470e54b8da47532f259a0a1bc3a227c6c344c2930c0078c7
Instruction Fuzzy Hash: C431DB71110314BFEB259F28D868B7E7BEDFB86311F104005FA84DA185C7BAA940CF20

Function 00FF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF2C94

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FF2CA0
_free.LIBCMT ref: 00FF2CAB
_free.LIBCMT ref: 00FF2CB6
_free.LIBCMT ref: 00FF2CC1
_free.LIBCMT ref: 00FF2CCC
_free.LIBCMT ref: 00FF2CD7
_free.LIBCMT ref: 00FF2CE2
_free.LIBCMT ref: 00FF2CED
_free.LIBCMT ref: 00FF2CFB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19b1341ee5d380043d2940f5b5c260b134748e32f740a98fb95b9dd47378e0f4
Instruction ID: c11759ee45280e5e052465ff94ef05542455bbcebb6c2302b63b8f459a96020c
Opcode Fuzzy Hash: 19b1341ee5d380043d2940f5b5c260b134748e32f740a98fb95b9dd47378e0f4
Instruction Fuzzy Hash: DA11947654010DAFCB52EF58DC82CED3BB5BF05350F414495FA485B232D675EA50BB90

Function 01037DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01037FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01037FC1
GetFileAttributesW.KERNEL32(?), ref: 01037FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01038005
SetCurrentDirectoryW.KERNEL32(?), ref: 01038017
SetCurrentDirectoryW.KERNEL32(?), ref: 01038060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010380B0

Strings

*.*, xrefs: 01038066

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7782e9c6ea9f09919c9d5652bbc570df94bb92c7ea881982eb9053917055e682
Instruction ID: 774cfb945afbeb9c08ce29ca94f7de0805d82a5f62e389e237269fbd9b8dcc67
Opcode Fuzzy Hash: 7782e9c6ea9f09919c9d5652bbc570df94bb92c7ea881982eb9053917055e682
Instruction Fuzzy Hash: AF819EB25043419BDB64EF18C884AAEB7ECBBC8310F14885EF9C5D7251E735D9458BA2

Function 00FC5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FC5C7A

Part of subcall function 00FC5D0A: GetClientRect.USER32(?,?), ref: 00FC5D30
Part of subcall function 00FC5D0A: GetWindowRect.USER32(?,?), ref: 00FC5D71
Part of subcall function 00FC5D0A: ScreenToClient.USER32(?,?), ref: 00FC5D99

GetDC.USER32 ref: 010046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01004708
SelectObject.GDI32(00000000,00000000), ref: 01004716
SelectObject.GDI32(00000000,00000000), ref: 0100472B
ReleaseDC.USER32(?,00000000), ref: 01004733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010047C4

Strings

U, xrefs: 01004693

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3f235b8d1ae84e7bfb76770ce67b26c12644e073720c0e0bd57cd14d8d87f1d3
Instruction ID: f7b82be1c8d0baea46e4b1d235d77a4be5f6376b5aea324bcc95dbbd71f7d638
Opcode Fuzzy Hash: 3f235b8d1ae84e7bfb76770ce67b26c12644e073720c0e0bd57cd14d8d87f1d3
Instruction Fuzzy Hash: 4B71F331500206DFEF22CF68CA85EFA3BB5FF49360F1402A9EE959A196C3319881DF50

Function 0103359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010335E4

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

LoadStringW.USER32(01092390,?,00000FFF,?), ref: 0103360A

Strings

^ ERROR, xrefs: 010336C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01033724
"%s" (%d) : ==> %s:, xrefs: 01033742
Error: , xrefs: 010336EF
Line %d (File "%s"):, xrefs: 0103366B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0e6faf2606d1243ef1f4454aae77e6d58f404298c078e62abb5f885a8d2f5317
Instruction ID: 6d85711dc951cd5b38fd62c8ff3765965d9f15136e774fb8bc3af3769a6bbf56
Opcode Fuzzy Hash: 0e6faf2606d1243ef1f4454aae77e6d58f404298c078e62abb5f885a8d2f5317
Instruction Fuzzy Hash: 5A51B031D0421BBADF15EBA0CD86EEEBB79BF14340F048129F14576191DB351A98EF60

Function 0103C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0103C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0103C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0103C2CA
GetLastError.KERNEL32 ref: 0103C322
SetEvent.KERNEL32(?), ref: 0103C336
InternetCloseHandle.WININET(00000000), ref: 0103C341

Strings

, xrefs: 0103C2BB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1b0e70776f08aa077303c57a24a367bdc5451ad2e60db9ac715331a1da40e547
Instruction ID: 48811ce6ca4e22ef835c42542d3977be037ffddce4915a8f7fe0ccbfa99a557c
Opcode Fuzzy Hash: 1b0e70776f08aa077303c57a24a367bdc5451ad2e60db9ac715331a1da40e547
Instruction Fuzzy Hash: 1F318271600308AFF7319F65CA84AAF7BFCEB89644B04851EF4C6E3200DB35DA058B61

Function 0102989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01003AAF,?,?,Bad directive syntax error,0105CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010298BC
LoadStringW.USER32(00000000,?,01003AAF,?), ref: 010298C3

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01029987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 010298F1
., xrefs: 0102996D
Line %d:, xrefs: 01029912
Error: , xrefs: 01029955
Line %d (File "%s"):, xrefs: 0102992D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 25206b2f5672494f889329f96be01fbb59dd700bdacf85c1714736d02d23898d
Instruction ID: 25f2a527efb01c5154c6763193a25110809c81239e310b1d0403bc8730685b40
Opcode Fuzzy Hash: 25206b2f5672494f889329f96be01fbb59dd700bdacf85c1714736d02d23898d
Instruction Fuzzy Hash: AB217C3190422BABDF11AF90CD0AEEE7779BF18304F04446AF55566092EB769618DB10

Function 0102209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0102214D

Strings

details, xrefs: 010220FB
smallicons, xrefs: 01022115
largeicons, xrefs: 010220E1
SHELLDLL_DefView, xrefs: 010220CC
list, xrefs: 0102212F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2f45e85075fc0931fbeff21bf132dc53e357297958735a3f261d7e58e69432c6
Instruction ID: 6ca7ee579840d137d27b49355c0c767cc06e992f3138d99a69aafc2adfac9f93
Opcode Fuzzy Hash: 2f45e85075fc0931fbeff21bf132dc53e357297958735a3f261d7e58e69432c6
Instruction Fuzzy Hash: B3110A7E688316B9F71135A5DC06DEB37DCDF24724B20016AFBC4A9092FE6968116A18

Function 00FF8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14597e59a0fd2d33f3a43a76b6f0b91e6c1b4472684cd821a9139090ada769d0
Instruction ID: 17ac4573dbd4a8b49f2a0bf3f7d1f83dcac98538d7c4c57fb1491463f07f1dd5
Opcode Fuzzy Hash: 14597e59a0fd2d33f3a43a76b6f0b91e6c1b4472684cd821a9139090ada769d0
Instruction Fuzzy Hash: DDC1F775D0824DAFDB11DFA8D841BBD7BB4BF09320F044099F654A73A2CB758941EB61

Function 00FFCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FFCEB7
_free.LIBCMT ref: 00FFCF22
_free.LIBCMT ref: 00FFCF48
_free.LIBCMT ref: 00FFCF71
_free.LIBCMT ref: 00FFCFA9
_free.LIBCMT ref: 00FFCFDA
_free.LIBCMT ref: 00FFD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FFD09C
_free.LIBCMT ref: 00FFD0B5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3dfee2494271d0285a56a7a05ae926fc2179d1d0341e0c666312c6105e57c2a1
Instruction ID: d022b358697606af2772dc40e3bbb1e0e133f3d9fb3531e622e3052d56a0bcee
Opcode Fuzzy Hash: 3dfee2494271d0285a56a7a05ae926fc2179d1d0341e0c666312c6105e57c2a1
Instruction Fuzzy Hash: 63614772D0522DABDB31AF74998167EBBA9AF01320F04416DFB41972E5D73A9900B7A0

Function 010550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01055186
ShowWindow.USER32(?,00000000), ref: 010551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010551D1

Part of subcall function 01056FBA: DeleteObject.GDI32(00000000), ref: 01056FE6

GetWindowLongW.USER32(?,000000F0), ref: 0105520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0105521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0105524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01055287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01055296

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 35ee238ada85d401226ee792f47c78481adf355c66cb59f17d78926954905ec4
Instruction ID: 95a0c269e7be0b72935979374433d34bfcbbdff57419f31d9c0baef01b17ac60
Opcode Fuzzy Hash: 35ee238ada85d401226ee792f47c78481adf355c66cb59f17d78926954905ec4
Instruction Fuzzy Hash: 3151C330A40209BEFFB09E68CC49BDA3FA5FB05360F044052FE95962D0D7B5A580DB45

Function 00FD8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01016890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FD8874,00000000,00000000,00000000,000000FF,00000000), ref: 01016901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0101691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FD8874,00000000,00000000,00000000,000000FF,00000000), ref: 0101692D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 8cab751b31283e2dede9dd8a2b1aeda8fd4124e02a749d4783ae7fb62a11aa4c
Instruction ID: 11bbdc937d03782f80c8bd8da2e1c63b0bedca8f5597303306c375ce37feacc2
Opcode Fuzzy Hash: 8cab751b31283e2dede9dd8a2b1aeda8fd4124e02a749d4783ae7fb62a11aa4c
Instruction Fuzzy Hash: 1D51A170600305EFDB20CF28CC51FAA7BB6FB84360F14451AF99697290DBB5E951EB50

Function 0103C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0103C182
GetLastError.KERNEL32 ref: 0103C195
SetEvent.KERNEL32(?), ref: 0103C1A9

Part of subcall function 0103C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0103C272
Part of subcall function 0103C253: GetLastError.KERNEL32 ref: 0103C322
Part of subcall function 0103C253: SetEvent.KERNEL32(?), ref: 0103C336
Part of subcall function 0103C253: InternetCloseHandle.WININET(00000000), ref: 0103C341

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f6e0352a39e5e653f57fc986bee02959773251396a39fdc923d6006373464bbc
Instruction ID: 5b1f618e27d04c84c56b95cd071e34ed11bd72ae17014cad035ba66ca079f3cb
Opcode Fuzzy Hash: f6e0352a39e5e653f57fc986bee02959773251396a39fdc923d6006373464bbc
Instruction Fuzzy Hash: A7318C71200745AFFB219FA9DE44A6BBBFCFF99200B04441EF99AE6604D735E414DBA0

Function 010225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01022601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01022605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0102260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01022623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01022627

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 97aae6be61dfcb4e7ebcb30617c04c8addf2205ede54d7e8f4610b8f359e7ea5
Instruction ID: 323a42cda52609bb6bfb8179a5f4ec3677e86790daec4cedc132da0dc3fe99ef
Opcode Fuzzy Hash: 97aae6be61dfcb4e7ebcb30617c04c8addf2205ede54d7e8f4610b8f359e7ea5
Instruction Fuzzy Hash: 3501D831790320BBFB2066689C8AF5A3F9DDB4EB11F100011F398AE1C4C9F624448A69

Function 01021803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01021449,?,?,00000000), ref: 0102180C
HeapAlloc.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 01021813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01021449,?,?,00000000), ref: 01021828
GetCurrentProcess.KERNEL32(?,00000000,?,01021449,?,?,00000000), ref: 01021830
DuplicateHandle.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 01021833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01021449,?,?,00000000), ref: 01021843
GetCurrentProcess.KERNEL32(01021449,00000000,?,01021449,?,?,00000000), ref: 0102184B
DuplicateHandle.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 0102184E
CreateThread.KERNEL32(00000000,00000000,01021874,00000000,00000000,00000000), ref: 01021868

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9fce01b3726a50a5744a3818ab667b120d865c644b8f4f97b45900891fef21be
Instruction ID: 8d364d6dd7cadcd09232f5efe679a8422e67878fb5012f47330c03beec6fb9f6
Opcode Fuzzy Hash: 9fce01b3726a50a5744a3818ab667b120d865c644b8f4f97b45900891fef21be
Instruction Fuzzy Hash: 4901BBB5640308BFF720ABB5DD4DF6B7BACEB8AB11F004411FA45DB195CA759840CB24

Function 0104A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0102D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0102D501
Part of subcall function 0102D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0102D50F
Part of subcall function 0102D4DC: CloseHandle.KERNELBASE(00000000), ref: 0102D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104A16D
GetLastError.KERNEL32 ref: 0104A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0104A268
GetLastError.KERNEL32(00000000), ref: 0104A273
CloseHandle.KERNEL32(00000000), ref: 0104A2C4

Strings

SeDebugPrivilege, xrefs: 0104A18F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8715f907a5ecb403c1f80bf5e4adaff2dd596285bcafff3a78bd8a3c76c9b25e
Instruction ID: 48fca4bb565c42aa1d6958c5d9d20eb1204a153d9f87e090f53971d5292d605e
Opcode Fuzzy Hash: 8715f907a5ecb403c1f80bf5e4adaff2dd596285bcafff3a78bd8a3c76c9b25e
Instruction Fuzzy Hash: 2461CE70248242EFE720DF18C5D4F1ABBE5AF44318F18849CE4A68B7A3C776E945CB91

Function 01053886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01053925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0105393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01053954
_wcslen.LIBCMT ref: 01053999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010539F4

Strings

SysListView32, xrefs: 010538F7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 71fc773a26352faeb3fcc048507b5997d094a1ea9e4af97972b031220567ed4c
Instruction ID: 9c35a0fbef4de49a094d20ac5a6706439e454b1f04fff4cb1dcb348baf026cb2
Opcode Fuzzy Hash: 71fc773a26352faeb3fcc048507b5997d094a1ea9e4af97972b031220567ed4c
Instruction Fuzzy Hash: AD419571A00319ABEF619F64CC45BEF7BA9FF08390F10056AF994EB281D7759980CB90

Function 0102BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102BCFD
IsMenu.USER32(00000000), ref: 0102BD1D
CreatePopupMenu.USER32 ref: 0102BD53
GetMenuItemCount.USER32(018B6488), ref: 0102BDA4
InsertMenuItemW.USER32(018B6488,?,00000001,00000030), ref: 0102BDCC

Strings

2, xrefs: 0102BD37
0, xrefs: 0102BCA8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 032592f6ff76553866af90eb4fad8fa0ab55d6e04dd31c2a8bc6dc87a4dcd636
Instruction ID: 8a8e04986d0e455715629c8a09ae17dc54ae20e3e4063c45577023371c7aadde
Opcode Fuzzy Hash: 032592f6ff76553866af90eb4fad8fa0ab55d6e04dd31c2a8bc6dc87a4dcd636
Instruction Fuzzy Hash: 1651D1706003299BEF21EFACC984BEEBFF8BF45314F14419AE5919B291E7709941CB52

Function 0102C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0102C913

Strings

info, xrefs: 0102C8B4
warning, xrefs: 0102C8FC
blank, xrefs: 0102C895
stop, xrefs: 0102C8E4
question, xrefs: 0102C8CC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 58d7b6b527a57cb2820812f42a9d7e009c096e21f1796b6daf798ee0dafa91bd
Instruction ID: 8e1a89db48e3a874dcec79b44020ab7de005fc20e6c5a6c198def6c1ab4f2d2d
Opcode Fuzzy Hash: 58d7b6b527a57cb2820812f42a9d7e009c096e21f1796b6daf798ee0dafa91bd
Instruction Fuzzy Hash: D7113D31789357BAF7016B599D83CAE37DCDF05730B10007EF584AA182E7F96E0062A8

Function 0102DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0102DE42
gethostname.WSOCK32(?,00000100), ref: 0102DE5C
gethostbyname.WSOCK32(?), ref: 0102DE69
inet_ntoa.WSOCK32(?), ref: 0102DEAB
_strcat.LIBCMT ref: 0102DEB9
WSACleanup.WSOCK32 ref: 0102DEDE

Strings

0.0.0.0, xrefs: 0102DE87

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 20dda6ad77beba98730d27140abf8678f9eb1e340ae0a742bbe1b0f32c4cd877
Instruction ID: 784317da60bfddd55f350039bebe27480662c81083677083a66d722db74c1b70
Opcode Fuzzy Hash: 20dda6ad77beba98730d27140abf8678f9eb1e340ae0a742bbe1b0f32c4cd877
Instruction Fuzzy Hash: 2311E771904319ABEB30BB659C09DEF77ACDF14710F0401A9F5C5A6041EF799A819760

Function 01059F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

GetSystemMetrics.USER32(0000000F), ref: 01059FC7
GetSystemMetrics.USER32(0000000F), ref: 01059FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0105A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0105A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0105A263
ShowWindow.USER32(00000003,00000000), ref: 0105A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0105A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0105A2CA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e5914ea7ddebbd0e20383ea0e8c5e24bcea0f09f28b16ea164d33d604fe02c5c
Instruction ID: b4722747d52ee339bc6092f67254f661c3f6b849ae62d2550f86313c52691653
Opcode Fuzzy Hash: e5914ea7ddebbd0e20383ea0e8c5e24bcea0f09f28b16ea164d33d604fe02c5c
Instruction Fuzzy Hash: 53B17C31600219DBEF94CF6CC9857AE7BF2FF48751F0881A9ED859B289D735A940CB60

Function 0102ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0102ED2A
_wcslen.LIBCMT ref: 0102ED3B
_wcslen.LIBCMT ref: 0102ED79
_wcslen.LIBCMT ref: 0102EDAF
_wcslen.LIBCMT ref: 0102EDDF
_wcslen.LIBCMT ref: 0102EDEF
_wcslen.LIBCMT ref: 0102EE2B
_wcslen.LIBCMT ref: 0102EE5A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5aef371500f81fcf66b88923c6fd3ac6a14b5f58c926128b6ffd89562d613e15
Instruction ID: cd3b670ec017e3d2cd4ee77eebb44f4918bc2dd9bb0627f3a128e369998b659b
Opcode Fuzzy Hash: 5aef371500f81fcf66b88923c6fd3ac6a14b5f58c926128b6ffd89562d613e15
Instruction Fuzzy Hash: 9E41C365C1026875CB11EBF5CC8A9CFB7A8AF45310F408466E618F3122FB38E245D3E6

Function 00FDF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 00FDF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0101F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0101F454

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 10be42dfbc0d2bff610dadd5dedad31f141ac1cda44bb2c626e9d162c2f6f0c5
Instruction ID: be2267c059f3dfc12497d53c7fd7bd2b09b13c9145793260495ae6dad4473b3b
Opcode Fuzzy Hash: 10be42dfbc0d2bff610dadd5dedad31f141ac1cda44bb2c626e9d162c2f6f0c5
Instruction Fuzzy Hash: BA412F31E08781BBD7358B2DCDA8F2A7B97BB45324F0C402EE1C756758C67A9488E712

Function 01052D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01052D1B
GetDC.USER32(00000000), ref: 01052D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052D2E
ReleaseDC.USER32(00000000,00000000), ref: 01052D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01052D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01052D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01055A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01052DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01052DE1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d2f58566900b3763015d9747563e1baaeaf283b1c86878ffd2d122e00c44211f
Instruction ID: a0fd4a8ae3251f9bf3310243cd61408583d61002e8e5f086aecf790648640c4a
Opcode Fuzzy Hash: d2f58566900b3763015d9747563e1baaeaf283b1c86878ffd2d122e00c44211f
Instruction Fuzzy Hash: 79316B72201314BBFB618F548D89FEB3FADEF09715F044055FE889A285C67A9850CBB4

Function 01025622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01025637
_memcmp.LIBVCRUNTIME ref: 01025659
_memcmp.LIBVCRUNTIME ref: 01025671
_memcmp.LIBVCRUNTIME ref: 01025684
_memcmp.LIBVCRUNTIME ref: 0102569E
_memcmp.LIBVCRUNTIME ref: 010256B1
_memcmp.LIBVCRUNTIME ref: 010256C9
_memcmp.LIBVCRUNTIME ref: 010256E4

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7178dc44c79759bf173765fcf89abaf8a0b8a45c863a877237b883b16514a8b6
Instruction ID: 1b1812e248ba600f2f477009d07f8e785921e87ce475585c71f00493e155dea5
Opcode Fuzzy Hash: 7178dc44c79759bf173765fcf89abaf8a0b8a45c863a877237b883b16514a8b6
Instruction Fuzzy Hash: 1621C271A4126ABBA26496276E86FFB339CBE14384F040024FE849B641F738ED1081A9

Function 01044FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0104502E, 01045383
Not an Object type, xrefs: 01045007

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 031fbacd2f3e09278f7d61916f76887f1cff481db0d85fc67dc0fb0000423421
Instruction ID: 80b2b611d0bab77dd71aae9f789d97faea32cc175846759567541ce28bca34ae
Opcode Fuzzy Hash: 031fbacd2f3e09278f7d61916f76887f1cff481db0d85fc67dc0fb0000423421
Instruction Fuzzy Hash: D4D171B5A0020AAFDF10DF98CCC0AAEBBF5BF48314F1484B9E955AB291E771D945CB50

Function 01001522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 010015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 01001651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 010016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 010016FB

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01001777
__freea.LIBCMT ref: 010017A2
__freea.LIBCMT ref: 010017AE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 41fe0f0ead9c033af42afc9da49b04b04329d2b2242971a2bc5edf9aa1af2e99
Instruction ID: 0ef39a0bcf21ac7225295c77445786635df3057151423361b051f47cbd068ea8
Opcode Fuzzy Hash: 41fe0f0ead9c033af42afc9da49b04b04329d2b2242971a2bc5edf9aa1af2e99
Instruction Fuzzy Hash: AB91C971E042169EFB228E78CC81AFE7BF5AF49310F184599E985EB1C0D736D940C7A0

Function 01044523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01044648
VariantInit.OLEAUT32(?), ref: 01044749
VariantClear.OLEAUT32(?), ref: 01044753
VariantClear.OLEAUT32(?), ref: 010447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0104472C
Null Object assignment in FOR..IN loop, xrefs: 010445D8, 01044706, 010447BE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 03c735a5fae751d0a9117c751ba781072bd8a1dcda549c75c9f27c99125eb214
Instruction ID: ac89dcf5554bd51aa06d12c8360e184950356fc9e0070afb1537bc29e4144514
Opcode Fuzzy Hash: 03c735a5fae751d0a9117c751ba781072bd8a1dcda549c75c9f27c99125eb214
Instruction Fuzzy Hash: 05916DB1A00219EBDF20CFA5C884FAEBBB8FF45714F108569E595EB281D7709945CFA0

Function 01031187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0103125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01031284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0103135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01031430

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 1b6f710bdbc285a7a68291cefc173fadcc4b19246f1d051302575d082ba8fb61
Instruction ID: a220e1a2110e169b4b91a5c9571df80a5c11404d249e8e258626f621a063c77d
Opcode Fuzzy Hash: 1b6f710bdbc285a7a68291cefc173fadcc4b19246f1d051302575d082ba8fb61
Instruction Fuzzy Hash: B291C4719003099FEB00DF98C884BFE7BB9FF89315F144069E591E7291DB79A941CB90

Function 00FD948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c056724ca39866bcccba324523fc0d162fa939d6fae4446f01f843c7d748db30
Instruction ID: 21371f97ec9320ecff31838538254874637765d811a701f8beebfaff822e7fc8
Opcode Fuzzy Hash: c056724ca39866bcccba324523fc0d162fa939d6fae4446f01f843c7d748db30
Instruction Fuzzy Hash: 71915971D04209AFCB10CFE9CC84AEEBBB9FF49320F18845AE515B7255D379A941DB60

Function 01043947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0104396B
CharUpperBuffW.USER32(?,?), ref: 01043A7A
_wcslen.LIBCMT ref: 01043A8A
VariantClear.OLEAUT32(?), ref: 01043C1F

Part of subcall function 01030CDF: VariantInit.OLEAUT32(00000000), ref: 01030D1F
Part of subcall function 01030CDF: VariantCopy.OLEAUT32(?,?), ref: 01030D28
Part of subcall function 01030CDF: VariantClear.OLEAUT32(?), ref: 01030D34

Strings

AUTOIT.ERROR, xrefs: 01043A80, 01043A85
Incorrect Parameter format, xrefs: 010439A6, 01043BA1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bc4d18e88e02e0c14528f858b79782c002496c5bc55d28a2f2ff878e0bee05b8
Instruction ID: 9c43d12a0d923884d7b2271afc15dea901fae87ffb4308d34d92575152ff717c
Opcode Fuzzy Hash: bc4d18e88e02e0c14528f858b79782c002496c5bc55d28a2f2ff878e0bee05b8
Instruction Fuzzy Hash: 3A9169B4A083059FC704EF28C58196ABBE5FF88314F04886DF98A9B351DB35ED05CB92

Function 01044BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0102000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?,?,0102035E), ref: 0102002B
Part of subcall function 0102000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020046
Part of subcall function 0102000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020054
Part of subcall function 0102000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?), ref: 01020064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01044C51
_wcslen.LIBCMT ref: 01044D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01044DCF
CoTaskMemFree.OLE32(?), ref: 01044DDA

Strings

NULL Pointer assignment, xrefs: 01044E23, 01044E52

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6aa9cd856bb0a04b7ed203fb862c3276e5b9c9dfd5105f9469e5718aa6f5a0ad
Instruction ID: d77a575598807d5c8e1bf439c2cb7b95234b179cc1dd36e464274dbec64d597b
Opcode Fuzzy Hash: 6aa9cd856bb0a04b7ed203fb862c3276e5b9c9dfd5105f9469e5718aa6f5a0ad
Instruction Fuzzy Hash: 219116B1D0021DAFDF24DFA4CC91EEEBBB8BF08314F104169E955A7241DB749A448F60

Function 010520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01052183
GetMenuItemCount.USER32(00000000), ref: 010521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010521DD
_wcslen.LIBCMT ref: 01052213
GetMenuItemID.USER32(?,?), ref: 0105224D
GetSubMenu.USER32(?,?), ref: 0105225B

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010522E3

Part of subcall function 0102E97B: Sleep.KERNEL32 ref: 0102E9F3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 63602130667c9aca1192c011052463b2bdecdf00766cace6b5c55de8c8ed59ee
Instruction ID: 3ce57a922eca48220be17eb98896b0f7160ee81d54144a072f3bc6544d1c8876
Opcode Fuzzy Hash: 63602130667c9aca1192c011052463b2bdecdf00766cace6b5c55de8c8ed59ee
Instruction Fuzzy Hash: DF718079A00205EFCB50DF68C945AAFBBF5EF48350F148499E956EB341D738E941CB90

Function 01057E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018B6500), ref: 01057F37
IsWindowEnabled.USER32(018B6500), ref: 01057F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0105801E
SendMessageW.USER32(018B6500,000000B0,?,?), ref: 01058051
IsDlgButtonChecked.USER32(?,?), ref: 01058089
GetWindowLongW.USER32(018B6500,000000EC), ref: 010580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010580C3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 05c1f238c15229d55b6313a8b724b69d2381bd51de946ba85167edbd709c8b7b
Instruction ID: 146e43f2bc98a1b03c4d4bd81f416d98f30121885eae8e92ac7aca06f3659c0f
Opcode Fuzzy Hash: 05c1f238c15229d55b6313a8b724b69d2381bd51de946ba85167edbd709c8b7b
Instruction Fuzzy Hash: C3717E34604205AFEBA1DF58C894FEBBBF9EF09300F54449AEEC597251C732A940EB20

Function 0102AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0102AEF9
GetKeyboardState.USER32(?), ref: 0102AF0E
SetKeyboardState.USER32(?), ref: 0102AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0102AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0102AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0102AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0102B020

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 234bfe5fe8380f45904b05cf7b9cf1daacd7ac0a9a3a03b52c4c79a23d813984
Instruction ID: 024ebdc7c23a0201df5d682c4a3152b71a37ef41e6ee50693691bd13be7e2b30
Opcode Fuzzy Hash: 234bfe5fe8380f45904b05cf7b9cf1daacd7ac0a9a3a03b52c4c79a23d813984
Instruction Fuzzy Hash: A451D3A06047E57DFB7742788845BBABFE95B06304F0884C9F2E9568C3D69DA8C8D760

Function 0102ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0102AD19
GetKeyboardState.USER32(?), ref: 0102AD2E
SetKeyboardState.USER32(?), ref: 0102AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0102ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0102ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0102AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0102AE38

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b50296a5abc039d6caf14e26b238f5a0ae39bf989178220108fef8cbe7e17cd
Instruction ID: f41307ece1156cc5ff96f970d84a89639e083c2dd257652de2495009d8a7cdf2
Opcode Fuzzy Hash: 3b50296a5abc039d6caf14e26b238f5a0ae39bf989178220108fef8cbe7e17cd
Instruction Fuzzy Hash: A351D6A16047F57EFB3792388C55BBABED85B46300F0884C8E2D657CC3DA94E889D760

Function 00FF542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(01003CD6,?,?,?,?,?,?,?,?,00FF5BA3,?,?,01003CD6,?,?), ref: 00FF5470
__fassign.LIBCMT ref: 00FF54EB
__fassign.LIBCMT ref: 00FF5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01003CD6,00000005,00000000,00000000), ref: 00FF552C
WriteFile.KERNEL32(?,01003CD6,00000000,00FF5BA3,00000000,?,?,?,?,?,?,?,?,?,00FF5BA3,?), ref: 00FF554B
WriteFile.KERNEL32(?,?,00000001,00FF5BA3,00000000,?,?,?,?,?,?,?,?,?,00FF5BA3,?), ref: 00FF5584

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 09ddde60377197e679aacacb425d96092c12fd97b5669ffeef4446c2eb6f451e
Instruction ID: 6ebd66f48d67a48cf05a9370c2d360ead33936e95e0e457a541f10c9caa01604
Opcode Fuzzy Hash: 09ddde60377197e679aacacb425d96092c12fd97b5669ffeef4446c2eb6f451e
Instruction Fuzzy Hash: E551C3B1D007499FDB20CFA8D855AEEBBF9EF09710F18411AF655E72A1D7309A41CB60

Function 00FE2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FE2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FE2D53
_ValidateLocalCookies.LIBCMT ref: 00FE2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FE2E0C
_ValidateLocalCookies.LIBCMT ref: 00FE2E61

Strings

csm, xrefs: 00FE2DF6

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 824f54a0b3170f3b42a29db578f8d99b4d210fb8f4b6e54c42a81283c284f03e
Instruction ID: 980e30fc76dc22de51c3298eb83a282b1591a6cda5cb5228ba5faf4b810a682f
Opcode Fuzzy Hash: 824f54a0b3170f3b42a29db578f8d99b4d210fb8f4b6e54c42a81283c284f03e
Instruction Fuzzy Hash: EA41E735E00249ABCF20DF6ACC49A9EBBB9BF44324F148155F9146B392E775DA01DBD0

Function 010410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
Part of subcall function 0104304E: _wcslen.LIBCMT ref: 0104309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01041112
WSAGetLastError.WSOCK32 ref: 01041121
WSAGetLastError.WSOCK32 ref: 010411C9
closesocket.WSOCK32(00000000), ref: 010411F9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5d99a501d6d1642553feed984b07c6cb04daee13ccebcf4c58561ab330fe8906
Instruction ID: 0d450863020bb97fdde7721dc001742491c7d01e04d4a5d26837939badffbec9
Opcode Fuzzy Hash: 5d99a501d6d1642553feed984b07c6cb04daee13ccebcf4c58561ab330fe8906
Instruction Fuzzy Hash: D741F675600204AFEB109F28C985BAABBE9FF45324F048069FC959B295C775BD81CBE0

Function 0102CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0102CF22,?), ref: 0102DDFD

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0102CF22,?), ref: 0102DE16

lstrcmpiW.KERNEL32(?,?), ref: 0102CF45
MoveFileW.KERNEL32(?,?), ref: 0102CF7F
_wcslen.LIBCMT ref: 0102D005
_wcslen.LIBCMT ref: 0102D01B
SHFileOperationW.SHELL32(?), ref: 0102D061

Strings

\*.*, xrefs: 0102CFF3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0f4f1206bf16d8418db907b39b581c6ea6ddc4b0968584d94d4a6c2f42e45f2e
Instruction ID: 5688414898bbea0a180a10835d01b389cc37ef12d627df8130ab68b88075e96f
Opcode Fuzzy Hash: 0f4f1206bf16d8418db907b39b581c6ea6ddc4b0968584d94d4a6c2f42e45f2e
Instruction Fuzzy Hash: F34128719452295FEF52EBA4DA81EDE77F8AF18380F1000E6D589EB141EA35A644CB50

Function 01052DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01052E1C
GetWindowLongW.USER32(?,000000F0), ref: 01052E4F
GetWindowLongW.USER32(?,000000F0), ref: 01052E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01052EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01052EE0
GetWindowLongW.USER32(?,000000F0), ref: 01052EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01052F0B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8d86cc4ed8457abe852cf242d27827e809daf7e69f2db55d276c260069ea3fd3
Instruction ID: 76bccba61c4628aa52693b5f63795d9ca253704de5b17014be7daeed66a17428
Opcode Fuzzy Hash: 8d86cc4ed8457abe852cf242d27827e809daf7e69f2db55d276c260069ea3fd3
Instruction Fuzzy Hash: EA31F830604251EFEBA2CF58DD84F6637E5FF59720F1501A4F9908B2A6C776B840EB51

Function 01027726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102778F
SysAllocString.OLEAUT32(00000000), ref: 01027792
SysAllocString.OLEAUT32(?), ref: 010277B0
SysFreeString.OLEAUT32(?), ref: 010277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010277DE
SysAllocString.OLEAUT32(?), ref: 010277EC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2637088d612a16155ec2bd4ff48cac3a0b0e2cc8956bff28d421ec5270a1287d
Instruction ID: 9a98645b1aa4ed39562b1fe76f06b239c37be4f77a92d1f539d45cce9428896f
Opcode Fuzzy Hash: 2637088d612a16155ec2bd4ff48cac3a0b0e2cc8956bff28d421ec5270a1287d
Instruction Fuzzy Hash: 9621B076600329AFEF10DEACCC88CBB77ECFB092647048065FA45DB255DA74DC418B60

Function 010277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027868
SysAllocString.OLEAUT32(00000000), ref: 0102786B
SysAllocString.OLEAUT32 ref: 0102788C
SysFreeString.OLEAUT32 ref: 01027895
StringFromGUID2.OLE32(?,?,00000028), ref: 010278AF
SysAllocString.OLEAUT32(?), ref: 010278BD

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1cf9f17a4b59ebd9c62245ea625cbb8c403affa698801bb94e0418444b5ea5be
Instruction ID: 5df3af677189a333bfa61c0ccc42861fee8c2374a75a5c9510912a625c709224
Opcode Fuzzy Hash: 1cf9f17a4b59ebd9c62245ea625cbb8c403affa698801bb94e0418444b5ea5be
Instruction Fuzzy Hash: 2121A131604224AFEB159FACDC88DBB77ECEB093607008125F955CB295EAB4DC41CB74

Function 010305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01030601

Strings

nul, xrefs: 01030639

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 76266996ae1ee7c50ba95b5db1e619693ab2887be42e0f044685e667052526f0
Instruction ID: 308e2c9878d4942387fbd0b01c8f75959240a3a12335119d46d3e33c135bbb74
Opcode Fuzzy Hash: 76266996ae1ee7c50ba95b5db1e619693ab2887be42e0f044685e667052526f0
Instruction Fuzzy Hash: 62217F755013059BEB209F6DC804A9A7BECAFC9B24F200A59F9E1E72DCD7719550DB10

Function 010304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0103052E

Strings

nul, xrefs: 01030567

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 622dabdefa120b6bb370741c0df7e5d4e1e7878291e2eb3a577aa7a2fda1355d
Instruction ID: 51844d149b8d3e07aac192eb9b087ef19ae5774bc8025f7d220c60337446c2f9
Opcode Fuzzy Hash: 622dabdefa120b6bb370741c0df7e5d4e1e7878291e2eb3a577aa7a2fda1355d
Instruction Fuzzy Hash: F021AB70601305EBEB208F2DD804A9B7BECAF84760F204A58F9E1D62D8D7709540CB20

Function 010540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
Part of subcall function 00FC600E: GetStockObject.GDI32(00000011), ref: 00FC6060
Part of subcall function 00FC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01054112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0105411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0105412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01054139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01054145

Strings

Msctls_Progress32, xrefs: 010540E3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c5f55fce36b23097cf60c7d0452861bf73f645aca57f4137652a3d551ffcce35
Instruction ID: 7ab4a15ccf73bfa0533fec486c28eb5def585b5dde7dc4132665620872b699a2
Opcode Fuzzy Hash: c5f55fce36b23097cf60c7d0452861bf73f645aca57f4137652a3d551ffcce35
Instruction Fuzzy Hash: 8611B2B224021ABEEF219E65CC85EE77F9DEF08798F004111BA58E6050C6769C61DBA4

Function 00FFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FFD7A3: _free.LIBCMT ref: 00FFD7CC

_free.LIBCMT ref: 00FFD82D

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFD838
_free.LIBCMT ref: 00FFD843
_free.LIBCMT ref: 00FFD897
_free.LIBCMT ref: 00FFD8A2
_free.LIBCMT ref: 00FFD8AD
_free.LIBCMT ref: 00FFD8B8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9de7b4f6082d016ce59511fa0de5f8da0c18a91d7f817d19722c6b279839e9c0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1C115172580B0CAAD531BFB0CC47FEB7BED6F00700F400825B399AA0B2DA69B505B650

Function 0102DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0102DA74
LoadStringW.USER32(00000000), ref: 0102DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0102DA91
LoadStringW.USER32(00000000), ref: 0102DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0102DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0102DAB9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4c1d0eeedc9440b7d5f8272c4c2ea3fde19adc5f6cb70ab192f2e3ec7340ebb5
Instruction ID: b05c91d3122f162a0875518ea9dc9c48f4ea91aa625d604b2e3cbd1633c8b0d9
Opcode Fuzzy Hash: 4c1d0eeedc9440b7d5f8272c4c2ea3fde19adc5f6cb70ab192f2e3ec7340ebb5
Instruction Fuzzy Hash: 470162F25003187FF751ABA49E89EEB376CE708305F404496F786E2041EA759E848F74

Function 0103096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018AEE00,018AEE00), ref: 0103097B
EnterCriticalSection.KERNEL32(018AEDE0,00000000), ref: 0103098D
TerminateThread.KERNEL32(?,000001F6), ref: 0103099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 010309A9
CloseHandle.KERNEL32(?), ref: 010309B8
InterlockedExchange.KERNEL32(018AEE00,000001F6), ref: 010309C8
LeaveCriticalSection.KERNEL32(018AEDE0), ref: 010309CF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6dc5cff37530c15df33a912915050f927ae9576065552ea50cdb346a258ef332
Instruction ID: c7c822fdf70a4c5ca7e6ef8755b82e0f6e2bd127865c82af2aa914965a58ef83
Opcode Fuzzy Hash: 6dc5cff37530c15df33a912915050f927ae9576065552ea50cdb346a258ef332
Instruction Fuzzy Hash: 5FF01D31442702BBF7615B94EF88ADB7A6DFF41742F401016F24250898CB7A9465CF90

Function 00FC5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FC5D30
GetWindowRect.USER32(?,?), ref: 00FC5D71
ScreenToClient.USER32(?,?), ref: 00FC5D99
GetClientRect.USER32(?,?), ref: 00FC5ED7
GetWindowRect.USER32(?,?), ref: 00FC5EF8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bb80e12d6d94adcb3d27e1d4e39105cc89c081ce219998a94f17a6d0b9e52a18
Instruction ID: 9ad9ab4ee54f3c96dc367451108c16a0915e3aaac04c079fc576306d5498b101
Opcode Fuzzy Hash: bb80e12d6d94adcb3d27e1d4e39105cc89c081ce219998a94f17a6d0b9e52a18
Instruction Fuzzy Hash: A1B15A35A0074ADBEB14CFA8C581BEEB7F1FF48310F14841AE9A9D7250DB34AA91DB54

Function 00FF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FF00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF00D6
__allrem.LIBCMT ref: 00FF00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF010B
__allrem.LIBCMT ref: 00FF0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF0140

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: df71b17c2ba2a5636abf643135a9e3dba29a5334d18f6972d526577056c5dcaf
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: D8812772A00B4A9BE7209F29CC41B7A73E8AF41330F24463AF651D62E2EF74D904A750

Function 01041D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01043149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0104101C,00000000,?,?,00000000), ref: 01043195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01041DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01041DE1
WSAGetLastError.WSOCK32 ref: 01041DF2
inet_ntoa.WSOCK32(?), ref: 01041E8C
htons.WSOCK32(?,?,?,?,?), ref: 01041EDB
_strlen.LIBCMT ref: 01041F35

Part of subcall function 010239E8: _strlen.LIBCMT ref: 010239F2

Part of subcall function 00FC6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00FDCF58,?,?,?), ref: 00FC6DBA
Part of subcall function 00FC6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00FDCF58,?,?,?), ref: 00FC6DED

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: abb2357c0a48bc584cc7bd03dcbd7ee125d49bd1641cf58f202bf1d1121b5220
Instruction ID: f3b8d53c008aca892b2fa0be10488c3f4dd67c6488461cba5bfbd8143ab02826
Opcode Fuzzy Hash: abb2357c0a48bc584cc7bd03dcbd7ee125d49bd1641cf58f202bf1d1121b5220
Instruction Fuzzy Hash: 4AA1F2B0104301AFD324EF24C886F2A7BE5AF94318F54496CF5965B2E2CB35ED86CB91

Function 00FF61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FE82D9,00FE82D9,?,?,?,00FF644F,00000001,00000001,8BE85006), ref: 00FF6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FF644F,00000001,00000001,8BE85006,?,?,?), ref: 00FF62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FF63D8
__freea.LIBCMT ref: 00FF63E5

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

__freea.LIBCMT ref: 00FF63EE
__freea.LIBCMT ref: 00FF6413

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3657f03c8ccd5bb9a61cdcf1e61a1c9a34078c92edbb1c2a490b09c55786d422
Instruction ID: 242523f8bdc59ce8eb3a35639bc8eac4d0eb21e2b2707d4f9f9f0e879e04db7d
Opcode Fuzzy Hash: 3657f03c8ccd5bb9a61cdcf1e61a1c9a34078c92edbb1c2a490b09c55786d422
Instruction Fuzzy Hash: 2C51E472A0021AABEF258E64CC81EBF77A9EF55760F154229FE05D7260DF38DC44E660

Function 0104BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104BD25
RegCloseKey.ADVAPI32(00000000), ref: 0104BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0104BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0104BDF3
RegCloseKey.ADVAPI32(?), ref: 0104BDFF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 61da66533885bf3abfd555701d8f014c0d7ac5be40770db6809059d19576d5bc
Instruction ID: 91e8daccb695ddc013b552c41720e0a753b824bc4c5ec2f362f165359407d3e9
Opcode Fuzzy Hash: 61da66533885bf3abfd555701d8f014c0d7ac5be40770db6809059d19576d5bc
Instruction Fuzzy Hash: F7819170108341AFD754EF24C9C5E2ABBE5FF84308F1489ACF5954B2A2DB36E945CB92

Function 0101F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0101F7B9
SysAllocString.OLEAUT32(00000001), ref: 0101F860
VariantCopy.OLEAUT32(0101FA64,00000000), ref: 0101F889
VariantClear.OLEAUT32(0101FA64), ref: 0101F8AD
VariantCopy.OLEAUT32(0101FA64,00000000), ref: 0101F8B1
VariantClear.OLEAUT32(?), ref: 0101F8BB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0ecc8b3509262aea8c5f2806c88a0101c747fb8062bb7d9d1686f0f7fca23c43
Instruction ID: 8bae87679104a89594adb95f3b9d6cd9775e00a3d76a8604395782515680d156
Opcode Fuzzy Hash: 0ecc8b3509262aea8c5f2806c88a0101c747fb8062bb7d9d1686f0f7fca23c43
Instruction Fuzzy Hash: 7151E931500322BADF20BB65D885B6DB3EAEF45310F144497E946DF299DB7C8C48CB56

Function 0103910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010394E5
_wcslen.LIBCMT ref: 01039506
_wcslen.LIBCMT ref: 0103952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01039585

Strings

X, xrefs: 01039412

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9bfcc7264ef6cfaf77fa5390dd52a7d879d17ba9fbb390207120947b28c10d37
Instruction ID: a78f3887bcbaecf7f1116aaf85a3cbc7f7ffaff01860813437abb272eaebf5b0
Opcode Fuzzy Hash: 9bfcc7264ef6cfaf77fa5390dd52a7d879d17ba9fbb390207120947b28c10d37
Instruction Fuzzy Hash: 97E1AF315083418FD724EF24C982F6AB7E4BF84314F04896DF9899B2A2DB75ED44CB92

Function 00FD920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

BeginPaint.USER32(?,?,?), ref: 00FD9241
GetWindowRect.USER32(?,?), ref: 00FD92A5
ScreenToClient.USER32(?,?), ref: 00FD92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FD92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FD9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010171EA

Part of subcall function 00FD9339: BeginPath.GDI32(00000000), ref: 00FD9357

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f82ad2e58da6317fd998d9df3994ddf13fa66357a91d5148c38cf8fc36cb8886
Instruction ID: d7cb8de7fa64e7ecdbd2ba102a67fbc83fe1a1ec1981a25690f9d6c020377caf
Opcode Fuzzy Hash: f82ad2e58da6317fd998d9df3994ddf13fa66357a91d5148c38cf8fc36cb8886
Instruction Fuzzy Hash: 6741C231108301AFD721DF58C884FBA7BA9FB45330F08066AF994872E5C77A9845EB61

Function 010307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0103080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01030847
EnterCriticalSection.KERNEL32(?), ref: 01030863
LeaveCriticalSection.KERNEL32(?), ref: 010308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01030921

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a3c2368d7cbef6f920b13401d052076edfd89f7c5f8c7c6cf288371a9da58e4b
Instruction ID: ec1929d558a3b3195518caee25230c116c36b33ca0a923eaf6740c765874b817
Opcode Fuzzy Hash: a3c2368d7cbef6f920b13401d052076edfd89f7c5f8c7c6cf288371a9da58e4b
Instruction Fuzzy Hash: E6419A31900205EBEF15DF54DC85AAAB7B9FF44300F1480A6FD449A29BDB35DE64DBA0

Function 010581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0101F3AB,00000000,?,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0105824C
EnableWindow.USER32(?,00000000), ref: 01058272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010582D1
ShowWindow.USER32(?,00000004), ref: 010582E5
EnableWindow.USER32(?,00000001), ref: 0105830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0105832F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 00d3ab9a75f53bb98cf8e58b58577003804cd9a50f6f7c899f85d6477b36c514
Instruction ID: eea3dc3a7a2716eb73ba5f0f1c9fb37955c1df7de2b0509184eacaa568558a08
Opcode Fuzzy Hash: 00d3ab9a75f53bb98cf8e58b58577003804cd9a50f6f7c899f85d6477b36c514
Instruction Fuzzy Hash: 0A41B934601745AFEFA2CF1AC499BE67FE0FB09754F1481A6EE988B167C3366441CB50

Function 010422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010422E8

Part of subcall function 0103E4EC: GetWindowRect.USER32(?,?), ref: 0103E504

GetDesktopWindow.USER32 ref: 01042312
GetWindowRect.USER32(00000000), ref: 01042319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01042355
GetCursorPos.USER32(?), ref: 01042381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010423DF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a706179f201bddf1150173d89fd62b9ddc23c6640b474847ac272aeadfb92fd8
Instruction ID: f48f9bb7081130830021525666b9ea11066c879d7dabdd5d876b772fd7de3f75
Opcode Fuzzy Hash: a706179f201bddf1150173d89fd62b9ddc23c6640b474847ac272aeadfb92fd8
Instruction Fuzzy Hash: 8631AFB2604315ABD721DF54D844A9BBBE9FF88714F004A29F9C597181DB35EA08CB92

Function 01024C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01024C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01024CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01024CEA
_wcslen.LIBCMT ref: 01024D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01024D10
_wcsstr.LIBVCRUNTIME ref: 01024D1A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 613bd781316ef6a6726add82e7791245feac20becb0b4fa2d9d161fc012b0d9f
Instruction ID: 08c06b2daed4a189d128964c82e57a538dcaf29f29074cba74dbd8870c2efbd8
Opcode Fuzzy Hash: 613bd781316ef6a6726add82e7791245feac20becb0b4fa2d9d161fc012b0d9f
Instruction Fuzzy Hash: 412129326042147BFB666B39EC49E7F7BDCDF49750F10407AF849CA192EA75D90097A0

Function 0103581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

_wcslen.LIBCMT ref: 0103587B
CoInitialize.OLE32(00000000), ref: 01035995
CoCreateInstance.OLE32(0105FCF8,00000000,00000001,0105FB68,?), ref: 010359AE
CoUninitialize.OLE32 ref: 010359CC

Strings

.lnk, xrefs: 01035876, 010358C1, 01035985

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: dcdc67553acdbc418475a6a21ca35d867513c48a6a19e8bd826e26cc9c863392
Instruction ID: f0e32dfe3233a86e6ea245aae3bde374afa6e1d5753e6c63be5e30582e6ef9f1
Opcode Fuzzy Hash: dcdc67553acdbc418475a6a21ca35d867513c48a6a19e8bd826e26cc9c863392
Instruction Fuzzy Hash: ACD155756083019FC714DF18C984A2ABBE9EF89710F14889DF8899B361DB35ED45CF92

Function 0102175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01020FCA
Part of subcall function 01020FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01020FD6
Part of subcall function 01020FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01020FE5
Part of subcall function 01020FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01020FEC
Part of subcall function 01020FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01021002

GetLengthSid.ADVAPI32(?,00000000,01021335), ref: 010217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010217BA
HeapAlloc.KERNEL32(00000000), ref: 010217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010217DA
GetProcessHeap.KERNEL32(00000000,00000000,01021335), ref: 010217EE
HeapFree.KERNEL32(00000000), ref: 010217F5

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9794241e490cc0a11d9f44b8861b75a73041acc0e154672abab3cf821170619d
Instruction ID: 57310ed7d7966720eef19297455f624e27117aeeb4e1fe1425ad4b831675edb0
Opcode Fuzzy Hash: 9794241e490cc0a11d9f44b8861b75a73041acc0e154672abab3cf821170619d
Instruction Fuzzy Hash: AA117C31500315EFEB649FA8CD49BAF7BF9FB86255F144098F5C197204D73AA944CB60

Function 010214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010214FF
OpenProcessToken.ADVAPI32(00000000), ref: 01021506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01021515
CloseHandle.KERNEL32(00000004), ref: 01021520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01021563

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 71966ec241ff33e4879e28f9eeeecf0d2a841a8e01afbfcac084da0c163b5e3c
Instruction ID: d2ba6aafdb6ae4b2004fbc802fdb504019b56e3f5b998ba4759b2f0f089a91a7
Opcode Fuzzy Hash: 71966ec241ff33e4879e28f9eeeecf0d2a841a8e01afbfcac084da0c163b5e3c
Instruction Fuzzy Hash: 1411267250035DABEF218FA8DE49BDE7BADFF08744F0441A5FA45A2060C3768E64DB60

Function 00FE3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FE3379,00FE2FE5), ref: 00FE3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FE339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FE33B7
SetLastError.KERNEL32(00000000,?,00FE3379,00FE2FE5), ref: 00FE3409

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b4f9436e4ab5ed42cd13bb8953d6a901b7541bb7b62c59c3193a37535b60a4c7
Instruction ID: 734f81a275b0dfcaa7c3f46efe9cd7b7efd5e29e6f507158c16ca2fa9457a736
Opcode Fuzzy Hash: b4f9436e4ab5ed42cd13bb8953d6a901b7541bb7b62c59c3193a37535b60a4c7
Instruction Fuzzy Hash: 3C014533A0D3512EB73226767D8DEAB2AA4DB023B43300229F050831E1EF1A0E027A64

Function 00FF2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FF5686,01003CD6,?,00000000,?,00FF5B6A,?,?,?,?,?,00FEE6D1,?,01088A48), ref: 00FF2D78
_free.LIBCMT ref: 00FF2DAB
_free.LIBCMT ref: 00FF2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FEE6D1,?,01088A48,00000010,00FC4F4A,?,?,00000000,01003CD6), ref: 00FF2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FEE6D1,?,01088A48,00000010,00FC4F4A,?,?,00000000,01003CD6), ref: 00FF2DEC
_abort.LIBCMT ref: 00FF2DF2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 90541d33470f7450a0bacfd9b7944bc3ce3604582d5cc134df83e42f4bb5b60d
Instruction ID: c735035285cc46b94544d7aea0e83b5861626b441550afdbc9a096437459c066
Opcode Fuzzy Hash: 90541d33470f7450a0bacfd9b7944bc3ce3604582d5cc134df83e42f4bb5b60d
Instruction Fuzzy Hash: 14F02832945B0C27D7B23638BC16E7F3569AFC27B0F240419FB64921B6EF2D89017220

Function 01058A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96A2
Part of subcall function 00FD9639: BeginPath.GDI32(?), ref: 00FD96B9
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01058A4E
LineTo.GDI32(?,00000003,00000000), ref: 01058A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01058A70
LineTo.GDI32(?,00000000,00000003), ref: 01058A80
EndPath.GDI32(?), ref: 01058A90
StrokePath.GDI32(?), ref: 01058AA0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 28a06ee15a76ec42216631e4d2243519298fc779712fbfe2509346c3e06eb7f6
Instruction ID: 502803efbeb40fc7acfd72f54a848111b39607c9fa55b8e885de5a3c2a6256bd
Opcode Fuzzy Hash: 28a06ee15a76ec42216631e4d2243519298fc779712fbfe2509346c3e06eb7f6
Instruction Fuzzy Hash: A0110C76000209BFEF119F94DC88EAA7F6DEB05360F048052BE5595164C7769D55DB60

Function 010251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01025218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01025229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01025230
ReleaseDC.USER32(00000000,00000000), ref: 01025238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0102524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01025261

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ee64a29462e2d860398059447dec4755873b50cd67aa0eec5206b93b00ba65d1
Instruction ID: a63a5569d5de01474af6f8eaee31b7264083630e4bdc15467f38b5817c104133
Opcode Fuzzy Hash: ee64a29462e2d860398059447dec4755873b50cd67aa0eec5206b93b00ba65d1
Instruction Fuzzy Hash: 6501DF71A00318BBFB109BA98D49A8FBFBCEF49711F044065FA44A7280D6709800CBA0

Function 00FC1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC1C22

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c59284d87521344cbe18fec0e6e660684ce94e8a2f3035b2debf312b90052779
Instruction ID: 483108af15139658b71231cc0a5633f331f14e5b3b2a2298e007be33a836bc9b
Opcode Fuzzy Hash: c59284d87521344cbe18fec0e6e660684ce94e8a2f3035b2debf312b90052779
Instruction Fuzzy Hash: DA0167B0902B5ABDE3008F6A8C85B53FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0102EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0102EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0102EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0102EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB75

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c7d33f0ef32762573887e55351bcaef8327c7bfabda26e6c5e877125d7a40b2b
Instruction ID: e0dfb2b683a48d167a7d4b0bed1f7fa567d7b45e6d37463baa3f8bb8a7d05605
Opcode Fuzzy Hash: c7d33f0ef32762573887e55351bcaef8327c7bfabda26e6c5e877125d7a40b2b
Instruction Fuzzy Hash: 89F01772240358BBE7315A629D0EEAB7A7CEBCAB11F000158FA41D108596AA6A0187B5

Function 01017439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01017452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01017469
GetWindowDC.USER32(?), ref: 01017475
GetPixel.GDI32(00000000,?,?), ref: 01017484
ReleaseDC.USER32(?,00000000), ref: 01017496
GetSysColor.USER32(00000005), ref: 010174B0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 4acee088de893e75e7f59ba18179b7659cdc37e3694e18df98709a9fb2435d30
Instruction ID: 7196ee9c779686d78b51f571518489cb393fefba8f4a878ddbf9a73294e49462
Opcode Fuzzy Hash: 4acee088de893e75e7f59ba18179b7659cdc37e3694e18df98709a9fb2435d30
Instruction Fuzzy Hash: EF018B31440305EFEB615FA4DD08BAA7BB9FB08321F544060F996A3195CF3A1E41EB20

Function 01021874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102187F
UnloadUserProfile.USERENV(?,?), ref: 0102188B
CloseHandle.KERNEL32(?), ref: 01021894
CloseHandle.KERNEL32(?), ref: 0102189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010218A5
HeapFree.KERNEL32(00000000), ref: 010218AC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e51634a98a067ecf12216797e654c0ae46096a648504afea5696292a97f31e09
Instruction ID: 20b34753ca39154b797830b7d7628cf7d0369afc976a8ba6481ce60b9df8c183
Opcode Fuzzy Hash: e51634a98a067ecf12216797e654c0ae46096a648504afea5696292a97f31e09
Instruction Fuzzy Hash: BAE0E536004705BBEB115FA1EE0C90BBF7DFF4AB22B108220F26681468CB37A4A0DB54

Function 0102C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0102C6EE
_wcslen.LIBCMT ref: 0102C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0102C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0102C7CA

Strings

0, xrefs: 0102C6AF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e34aa005ae0264b1fe249d97d2264c80af9249d47e9abea4ce362aed9a313f57
Instruction ID: 063d94e9acfb0351e32b462428497c3ff32f2b35cb25c68c2fe07ce76b6cfc04
Opcode Fuzzy Hash: e34aa005ae0264b1fe249d97d2264c80af9249d47e9abea4ce362aed9a313f57
Instruction Fuzzy Hash: DA5110316043219BF7A19E28CA88B6F7BE8BF49314F040A6DFAD6D3191DB74D804DB52

Function 0104AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0104AEA3

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

GetProcessId.KERNEL32(00000000), ref: 0104AF38
CloseHandle.KERNEL32(00000000), ref: 0104AF67

Strings

@, xrefs: 0104AE72
<, xrefs: 0104AE6B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4ceeff81ea2b2eedfaa94f94308e2dc555d8145c3cd58b530529e9571964378d
Instruction ID: de4d0db9efe5dc4f06de8fa8ddcc9664b9da5e154165d9efd261185f4252f137
Opcode Fuzzy Hash: 4ceeff81ea2b2eedfaa94f94308e2dc555d8145c3cd58b530529e9571964378d
Instruction Fuzzy Hash: 5C716A70A00215DFDB14EF55C985A9EBBF0AF08314F0484ADE896AB392C779ED45DB90

Function 0102719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01027206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0102723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0102724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010272CF

Strings

DllGetClassObject, xrefs: 01027242

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 41e6b2fef641df680cd0464140a6ca68112a828002808d2cde80e2c992d3fe56
Instruction ID: c99e8303c3fa96d11b7f6697ae16dc79b1f4cc309cc30d5f7c2f5740defd9baf
Opcode Fuzzy Hash: 41e6b2fef641df680cd0464140a6ca68112a828002808d2cde80e2c992d3fe56
Instruction Fuzzy Hash: 59419D71A00214EFDB25CF54C884A9A7FA9EF56310F1180ADFD459F20AD7B1D948CBA0

Function 01053D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01053E35
IsMenu.USER32(?), ref: 01053E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01053E92
DrawMenuBar.USER32 ref: 01053EA5

Strings

0, xrefs: 01053D89

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 924b3dfafd2e4ee44d58d0b5c32227537e21c5314f7ec3a0ecf2371a13666297
Instruction ID: f98ec4545df8d801d33a9c7a82dc05466b634fcddabc8a7185076c93e96dda66
Opcode Fuzzy Hash: 924b3dfafd2e4ee44d58d0b5c32227537e21c5314f7ec3a0ecf2371a13666297
Instruction Fuzzy Hash: 69416A75A00209AFEB60DF94D884EABBBF9FF48394F044069ED859B280D735A940DF60

Function 01021DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01021E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01021E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01021EA9

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Strings

ComboBox, xrefs: 01021DF0
ListBox, xrefs: 01021E25

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 48798b6d1828a2ce1b42d69b50e2100def567c7b6acd7899cabaf41fe880b7a4
Instruction ID: ed54a79a4ece3b30d4e819c4c306ebe7cb5103052ec60b052c8850c95a139910
Opcode Fuzzy Hash: 48798b6d1828a2ce1b42d69b50e2100def567c7b6acd7899cabaf41fe880b7a4
Instruction Fuzzy Hash: C3214771A00209BEEF14AB64DD4ADFFBBBDEF45350B04412DF4A1A71D1DB7849099720

Function 0104C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0104C9F1
_wcslen.LIBCMT ref: 0104CA68
_wcslen.LIBCMT ref: 0104CA9E
_wcslen.LIBCMT ref: 0104CAF9
_wcslen.LIBCMT ref: 0104CB2F
_wcslen.LIBCMT ref: 0104CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0104CA62, 0104CA67
HKLM, xrefs: 0104CA98, 0104CA9D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 9f1b0713df9adea5abc4e6a1fe11e00fb369714859e0dcfce77cb3ba6b825432
Instruction ID: 97960f650f68f70995458cd3b3288e985c83ffad24027b1e64317052c8823285
Opcode Fuzzy Hash: 9f1b0713df9adea5abc4e6a1fe11e00fb369714859e0dcfce77cb3ba6b825432
Instruction Fuzzy Hash: 64314BB36021624BEB61EE2CDBC05BE37D15B51658B1540BDE8C1AB34AEA71CD64D3A0

Function 01052F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01052F8D
LoadLibraryW.KERNEL32(?), ref: 01052F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01052FA9
DestroyWindow.USER32(?), ref: 01052FB1

Strings

SysAnimate32, xrefs: 01052F68

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 21827b8f34af6cca360be30991fc336b0e92354f8ca7164a5b2ca96c9f237cf6
Instruction ID: e459080fe17f927b5ef1be49b9bed3527cfbdacc21ec4236f0e5fbb15bfa108f
Opcode Fuzzy Hash: 21827b8f34af6cca360be30991fc336b0e92354f8ca7164a5b2ca96c9f237cf6
Instruction Fuzzy Hash: F621AC72204209EBEFA14F68EC80EBB37ADEF49364F100628FE90E6195D771DC519B60

Function 00FE4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FE4D1E,00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002), ref: 00FE4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FE4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FE4D1E,00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000), ref: 00FE4DC3

Strings

mscoree.dll, xrefs: 00FE4D86
CorExitProcess, xrefs: 00FE4D98

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d2447e4764cca6ef97856cec0b4d1b1cca145e7f4677b966a5bb0115bcf3cfad
Instruction ID: 75205dadc6882e6b83a6a044db012e6e4891e6ae68338a04932ee0b03256b92b
Opcode Fuzzy Hash: d2447e4764cca6ef97856cec0b4d1b1cca145e7f4677b966a5bb0115bcf3cfad
Instruction Fuzzy Hash: FAF0C230A40308BBEB209F91DD09BEEBFB8EF04761F0000A8F845A6244CF795E40DB90

Function 00FC4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00FC4EA8
kernel32.dll, xrefs: 00FC4E94

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 54c3c0ebce581eaf1aaf12baa6837f627fe9c78c34493ecb4432749434b39ad1
Instruction ID: b611a9c48ae69e4139ca5dbfa411d59ada8ebd1baf1b73eab8831a1247728669
Opcode Fuzzy Hash: 54c3c0ebce581eaf1aaf12baa6837f627fe9c78c34493ecb4432749434b39ad1
Instruction Fuzzy Hash: 82E08635E027235BA33117256D29F5B765CAF82F72B060119FC40E6104DB64DC0191A4

Function 00FC4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4E74
FreeLibrary.KERNEL32(00000000,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FC4E6E
kernel32.dll, xrefs: 00FC4E5B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5ace5556140b1853d7e4375761caf99af4646a185eb0cd869d87baa578d56f55
Instruction ID: 3876b4c2099c19a884ed68a0c8e0f31a2b157ae2341fe1dfed36ece977c81b54
Opcode Fuzzy Hash: 5ace5556140b1853d7e4375761caf99af4646a185eb0cd869d87baa578d56f55
Instruction Fuzzy Hash: 13D0C2319027225767321B297E29F8B3A1CAF82F213060118BC80A6108CF25CD01D2E4

Function 01032947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032C05
DeleteFileW.KERNEL32(?), ref: 01032C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01032C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032CC0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 16a956798f1da83499e9d9c4927c12f3b052126cfd7dbe62c5d84f4b00724472
Instruction ID: 259824f4a40111fec46d3365509e9c90407258818950f2b836d1f8032a3459e3
Opcode Fuzzy Hash: 16a956798f1da83499e9d9c4927c12f3b052126cfd7dbe62c5d84f4b00724472
Instruction Fuzzy Hash: 34B14F71D0011DABDF25DBA4CD85EDEBBBDEF48350F0040AAF649E6141EB35AA448F61

Function 0104A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0104A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0104A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0104A468
CloseHandle.KERNEL32(?), ref: 0104A63D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6c4d5e6e93c726ed7f2d9512d00a91389ec33c8a810635caeaf9382efe1c0bed
Instruction ID: 0488a6ee5f56698a9f116e73317a0096c94f61d726e9babfb24dc7dc877cface
Opcode Fuzzy Hash: 6c4d5e6e93c726ed7f2d9512d00a91389ec33c8a810635caeaf9382efe1c0bed
Instruction Fuzzy Hash: AFA1B2B16043019FE720DF28C982F2AB7E5AF88714F04885DF59A9B392DB74EC41CB91

Function 0102E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0102CF22,?), ref: 0102DDFD

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0102CF22,?), ref: 0102DE16

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

lstrcmpiW.KERNEL32(?,?), ref: 0102E473
MoveFileW.KERNEL32(?,?), ref: 0102E4AC
_wcslen.LIBCMT ref: 0102E5EB
_wcslen.LIBCMT ref: 0102E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0102E650

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fc6ed514a044b27fc52e35cfb618499202c459a1f1d5439ac55dede4ebc1fcfb
Instruction ID: fbefee0a29097a927267ba84e455a386e341e54f531986227a952f9d98dec506
Opcode Fuzzy Hash: fc6ed514a044b27fc52e35cfb618499202c459a1f1d5439ac55dede4ebc1fcfb
Instruction Fuzzy Hash: C65181B24083955BD764EBA4CC819DF77ECAF84340F40492EE6C9D3191EF74A2888766

Function 0104B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0104BB63
RegCloseKey.ADVAPI32(?,?), ref: 0104BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0104BBB3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e9e68b0d9d3136ceecd07125299f3f192e93b9bdbe9f015f761622f2b79f2703
Instruction ID: 8c997f1514071a69452c306752793deb9f62c57c23df586d59bf35d5f0025307
Opcode Fuzzy Hash: e9e68b0d9d3136ceecd07125299f3f192e93b9bdbe9f015f761622f2b79f2703
Instruction Fuzzy Hash: C061B171208201AFD314DF14C9D5E2ABBE5FF84308F5489ACF5994B292CB75ED45CB92

Function 01028BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01028BCD
VariantClear.OLEAUT32 ref: 01028C3E
VariantClear.OLEAUT32 ref: 01028C9D
VariantClear.OLEAUT32(?), ref: 01028D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01028D3B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b4c36d5f9561daeb8a1c798823c0ac79e9c0da20542011c9506d83895a267153
Instruction ID: 36edb270ceac6da0f1f0a02a21a01363adec490a87d12bdcff4f6ef4ca282f72
Opcode Fuzzy Hash: b4c36d5f9561daeb8a1c798823c0ac79e9c0da20542011c9506d83895a267153
Instruction Fuzzy Hash: F5515AB5A00219EFDB14DF68C884AAABBF8FF89310F15855AE945DB314E734E911CF90

Function 01038AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01038BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01038BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01038C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01038C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01038C5F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: cd831354afce8adceb7492c874d56861ddf7a38359505caa93a54d9b34207fa5
Instruction ID: ea2eb0e494e14672a383a9df86922596e5aecf0d87be436f2c4c90f98eb02cc8
Opcode Fuzzy Hash: cd831354afce8adceb7492c874d56861ddf7a38359505caa93a54d9b34207fa5
Instruction Fuzzy Hash: 71516835A002199FDB00DF64C981E6ABBF5FF48314F088499E849AB362CB39ED41DF90

Function 01048EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01048F40
GetProcAddress.KERNEL32(00000000,?), ref: 01048FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01048FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01049032
FreeLibrary.KERNEL32(00000000), ref: 01049052

Part of subcall function 00FDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01031043,?,753CE610), ref: 00FDF6E6
Part of subcall function 00FDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0101FA64,00000000,00000000,?,?,01031043,?,753CE610,?,0101FA64), ref: 00FDF70D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 09e93c8422cd33b2c2627f7931ebdf7d9e1c48d159c395fb4261b8c8a878bf1b
Instruction ID: 4b7f992931857017d478aed608090e349aeb1558192706010a45a82c2b4400d6
Opcode Fuzzy Hash: 09e93c8422cd33b2c2627f7931ebdf7d9e1c48d159c395fb4261b8c8a878bf1b
Instruction Fuzzy Hash: 7B516974604205DFC711EF68C585DAEBBF1FF49314B0884A9E94A9B362DB35ED85CB80

Function 01056B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01056C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01056C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01056C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0103AB79,00000000,00000000), ref: 01056C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01056CC7

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f0263340b95ee0b540d5f7f52067775a0a7710d3a3eb08d3eb554bff981581ef
Instruction ID: 0f06b903666d9b5ff385603a40b38a702da9d3020213dea862018a54e16cda12
Opcode Fuzzy Hash: f0263340b95ee0b540d5f7f52067775a0a7710d3a3eb08d3eb554bff981581ef
Instruction Fuzzy Hash: 6541C535A04208AFE7A5CF6CC959FBB7FE8EB09360F840258ED95A7291C373AD40C650

Function 00FF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF20C3
_free.LIBCMT ref: 00FF20E3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a8eed09a4e8888141d04b25cd3cbc52040150e46bafcde02a75ddc74c51c3d5
Instruction ID: 8c57f22a2c6a7e2645df6a220866abae0c275933b4ab97703d0b14916a0ca378
Opcode Fuzzy Hash: 1a8eed09a4e8888141d04b25cd3cbc52040150e46bafcde02a75ddc74c51c3d5
Instruction Fuzzy Hash: F441E433E002089FCB20DF78C880A6DB7B5EF89324F154569E615EB3A1DB31AD01EB80

Function 00FD912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD9141
ScreenToClient.USER32(00000000,?), ref: 00FD915E
GetAsyncKeyState.USER32(00000001), ref: 00FD9183
GetAsyncKeyState.USER32(00000002), ref: 00FD919D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 10343cc3b29f4ecf0c7cc66f4a9eab4bdf5db7023c97a0e0669709fb909940c6
Instruction ID: 044a94601c816fc27f02cf4e853ee734562ef4909876ad6971dd61849b0329d3
Opcode Fuzzy Hash: 10343cc3b29f4ecf0c7cc66f4a9eab4bdf5db7023c97a0e0669709fb909940c6
Instruction Fuzzy Hash: 3841B43190820BFBDF199FA8C844BEEB776FF05324F244216E465A32D4C7746990DB51

Function 01033874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01033922
TranslateMessage.USER32(?), ref: 0103394B
DispatchMessageW.USER32(?), ref: 01033955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01033966

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 81f1fd8b8a77171f6b411398d4422467cb951aed67bbf60c3b21974bfb630fd7
Instruction ID: 36885ac89db7fc8daa7b1a8ac5323a10a0d7f69e1f744bcb2c2a192556ad6c5f
Opcode Fuzzy Hash: 81f1fd8b8a77171f6b411398d4422467cb951aed67bbf60c3b21974bfb630fd7
Instruction Fuzzy Hash: D731E670604342EEFB76CB389499BB73BECBB85314F04459AD5E2CA0C5E3799085CB11

Function 01021901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01021915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010219E2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9b43d79f1f7c8d8d4dcd9d9cda32fe75f73678573107cf7c19a7717bb0db474c
Instruction ID: ac73d9a9987f7da5e803d0d00c2e4bd04044b254b5cc04a961eacdda21b4b746
Opcode Fuzzy Hash: 9b43d79f1f7c8d8d4dcd9d9cda32fe75f73678573107cf7c19a7717bb0db474c
Instruction Fuzzy Hash: 3931D171A00329EFDB10CFACD988ADE7BB5EB05315F104269F9A1A72C1C770AA44CB90

Function 01055706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01055745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0105579D
_wcslen.LIBCMT ref: 010557AF
_wcslen.LIBCMT ref: 010557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01055816

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3f929f67bb1c351c0e6931ecb7608c2c207d5774944ca2f798f7cf66bc983b60
Instruction ID: 69eb7900ce9aad227cb2baf9dce8faca9be687f0142404a8ae7a73bb45fae150
Opcode Fuzzy Hash: 3f929f67bb1c351c0e6931ecb7608c2c207d5774944ca2f798f7cf66bc983b60
Instruction Fuzzy Hash: 6821B931A002189BDB608FA4DC44AEF7BBCFF04324F004156EE99EB180D7749585CF50

Function 01040930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01040951
GetForegroundWindow.USER32 ref: 01040968
GetDC.USER32(00000000), ref: 010409A4
GetPixel.GDI32(00000000,?,00000003), ref: 010409B0
ReleaseDC.USER32(00000000,00000003), ref: 010409E8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8bfedec35270704c1dd543fc98fa96114bbf6e67285ec7070553c7c2d22a4e9a
Instruction ID: 554c472f67d6db4023bde53eb5815b8f22993ab465bffb57dd04901aca4ddd3d
Opcode Fuzzy Hash: 8bfedec35270704c1dd543fc98fa96114bbf6e67285ec7070553c7c2d22a4e9a
Instruction Fuzzy Hash: 1A218179600214AFE714EF65C985AAFBBE9EF48700F04846CE98AA7755CB35AD04CB60

Function 00FFCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FFCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FFCDE9

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FFCE0F
_free.LIBCMT ref: 00FFCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FFCE31

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d2c5451e6b5bdfde33b3b39ec19b5e4d2bcda421a9551ed8f1d5d99abb62fd64
Instruction ID: 83f4bb5e290e63caba2530735bb2d16845394acd8dc267c2b07387d679b0e633
Opcode Fuzzy Hash: d2c5451e6b5bdfde33b3b39ec19b5e4d2bcda421a9551ed8f1d5d99abb62fd64
Instruction Fuzzy Hash: F301D872E0232D7F333115766D48DBF796DDEC6BA13150129FA05C7210DAA58D01A2F0

Function 00FD9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
SelectObject.GDI32(?,00000000), ref: 00FD96A2
BeginPath.GDI32(?), ref: 00FD96B9
SelectObject.GDI32(?,00000000), ref: 00FD96E2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 87eaa5fa18d3e23f1cbb504209ad8a964330b1e9b86ee760b89b4bac0a344714
Instruction ID: 71db9292ea3ec811aa7c1c44e91f531367788f0782f3d09a67925543df449371
Opcode Fuzzy Hash: 87eaa5fa18d3e23f1cbb504209ad8a964330b1e9b86ee760b89b4bac0a344714
Instruction Fuzzy Hash: A421D731915306EFDB219FA4D9047AE3BB9BB01375F144217F490A32D8D3BA9881DF94

Function 01025711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01025726
_memcmp.LIBVCRUNTIME ref: 01025744
_memcmp.LIBVCRUNTIME ref: 01025757
_memcmp.LIBVCRUNTIME ref: 0102576F
_memcmp.LIBVCRUNTIME ref: 01025787

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c0bee49b0996ae542609da0140424df80d30464be760a0971e74fee1834b3eed
Instruction ID: 705e089556986a285d88d997e1d33234931ae83f91d0fa2634a497f718159894
Opcode Fuzzy Hash: c0bee49b0996ae542609da0140424df80d30464be760a0971e74fee1834b3eed
Instruction Fuzzy Hash: 4501B57168126AFFE3489517AE82FFB739CBB513A4F004064FD449E202F774ED1092A8

Function 00FF2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FEF2DE,00FF3863,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6), ref: 00FF2DFD
_free.LIBCMT ref: 00FF2E32
_free.LIBCMT ref: 00FF2E59
SetLastError.KERNEL32(00000000,00FC1129), ref: 00FF2E66
SetLastError.KERNEL32(00000000,00FC1129), ref: 00FF2E6F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0f8e399b9b459c6ce72d5d182e3b3f26aaee1f3cbe00ce4f29b6268730e60cbb
Instruction ID: 2053b9150a0e5a7a0791731a718b0979a08fb658ed7e7d6a7b643956d3be0353
Opcode Fuzzy Hash: 0f8e399b9b459c6ce72d5d182e3b3f26aaee1f3cbe00ce4f29b6268730e60cbb
Instruction Fuzzy Hash: 8101F97264570C67D76226746D85D3F396DFFC17717340029FBA1A22B6EA6D8D017120

Function 0102000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?,?,0102035E), ref: 0102002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?), ref: 01020064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020070

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 775016a7bd9606ccbb0320c5774ec06b66a7b607d8a7611f24f2b9c73165178e
Instruction ID: 49618d706205f9e141dea2c8120205237df195ada79a64bab336dd8c921ea490
Opcode Fuzzy Hash: 775016a7bd9606ccbb0320c5774ec06b66a7b607d8a7611f24f2b9c73165178e
Instruction Fuzzy Hash: 82018F76600315BFFB204F68DD84BBA7EEDEB44661F144124FA85D2218E77ADD408BA0

Function 0102E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0102E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0102E9A5
Sleep.KERNEL32(00000000), ref: 0102E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0102E9B7
Sleep.KERNEL32 ref: 0102E9F3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4614b0e67ae559c83d784fdbc66a48fe57c561b9bae1b4f341d53f2537957d5f
Instruction ID: e642877e88f8ca021afe5ddd80ed9cc997a0799ec45559041ba475ac34664a1e
Opcode Fuzzy Hash: 4614b0e67ae559c83d784fdbc66a48fe57c561b9bae1b4f341d53f2537957d5f
Instruction Fuzzy Hash: 1901A931E00739DBDF10AFE4D948AEEBBB8FF09300F000546E582B2244CB398540CBA1

Function 010210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 069303b0cfb008f26f1a1da742977bf44db4ed8064cfcdd712fc59ec456bfd54
Instruction ID: e043b3620bbb0da30e958fc9349c01ea1a824777dcd92ad0185cf534fe5804cc
Opcode Fuzzy Hash: 069303b0cfb008f26f1a1da742977bf44db4ed8064cfcdd712fc59ec456bfd54
Instruction Fuzzy Hash: E2016D75100315BFEB214F68DD4DA6B3FAEEF85260B200454F981D3340DA36DC00CB60

Function 01020FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01020FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01020FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01020FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01020FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01021002

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6ce9dfb5377d41418ef63570257862cce71599f0e3f29da56aec1fed4a6fa1d1
Instruction ID: 6b16d2dc145114adc28b87a22d66f864c82c4f98f8dac4887774af0d24e4b9a4
Opcode Fuzzy Hash: 6ce9dfb5377d41418ef63570257862cce71599f0e3f29da56aec1fed4a6fa1d1
Instruction Fuzzy Hash: 09F06D35200315ABEB214FA9DD8DF5B3FADEF8A762F104454FA86C7241CA7AD850CB60

Function 01021014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0102102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01021036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0102104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021062

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a06c0d99acdc47571163ecbef9a2cda89288fb81a47933765e8a7a72fc9e7da3
Instruction ID: 029c6e9390a17db2386c57b52ad61555f1b5ff1565eae185d527ca8bcbdf85ae
Opcode Fuzzy Hash: a06c0d99acdc47571163ecbef9a2cda89288fb81a47933765e8a7a72fc9e7da3
Instruction Fuzzy Hash: E8F06235200355ABEB225FA9ED49F5B3FADEF8A661F100414FA85C7240CA79D950CB60

Function 0103030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030324
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030331
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 0103033E
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 0103034B
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030358
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030365

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5729b76d801c71698209bda207b0cc9fd31279ae19a4cdd116c2de0c1f89cbfb
Instruction ID: 7884c833a2d4ac1f258922a9c438a62bae0cb33c0ba16df69804613aff4bf91c
Opcode Fuzzy Hash: 5729b76d801c71698209bda207b0cc9fd31279ae19a4cdd116c2de0c1f89cbfb
Instruction Fuzzy Hash: 7C019072801B159FD7309F6AD880413FBF9BF902153158A7EE29652931C371A954CF80

Function 00FFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FFD752

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFD764
_free.LIBCMT ref: 00FFD776
_free.LIBCMT ref: 00FFD788
_free.LIBCMT ref: 00FFD79A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff3bc7ab6b073c6d27c7731dd02710ec16d1091ef968dd97757ca232c6a9f97e
Instruction ID: cfe5b4b556f802e2732c2a8865657f32a76bc1c0d85f5b014c94c1115560ad0f
Opcode Fuzzy Hash: ff3bc7ab6b073c6d27c7731dd02710ec16d1091ef968dd97757ca232c6a9f97e
Instruction Fuzzy Hash: A5F0313399420DAB8675FA58F9C5C6A77FEBF047207940809F284DB525CB29FC406674

Function 01025C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01025C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01025C6F
MessageBeep.USER32(00000000), ref: 01025C87
KillTimer.USER32(?,0000040A), ref: 01025CA3
EndDialog.USER32(?,00000001), ref: 01025CBD

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8d1e4f79ef9215617b04075c971318f9c64c3d4278eeec3c4356e16cfa081f8d
Instruction ID: 8e2df1f8f233a0dd0ddf045d7b2f62c181a6bd319df1785eb67cb8aa91361425
Opcode Fuzzy Hash: 8d1e4f79ef9215617b04075c971318f9c64c3d4278eeec3c4356e16cfa081f8d
Instruction Fuzzy Hash: 89014F30500718AEFB315B14DE4EFE67BA8BB04B05F040659E6C2A24D1EBB5AA84CB94

Function 00FF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF22BE

Part of subcall function 00FF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FF22D0
_free.LIBCMT ref: 00FF22E3
_free.LIBCMT ref: 00FF22F4
_free.LIBCMT ref: 00FF2305

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24e9867c0b110ed3124d9ac301a08b9282c34e8cb0ba75abbf296904f713c89f
Instruction ID: 75d89c3b5bc6d2d2633fd6345f69076680c9b498495b2d29f3233b7fc11d33f5
Opcode Fuzzy Hash: 24e9867c0b110ed3124d9ac301a08b9282c34e8cb0ba75abbf296904f713c89f
Instruction Fuzzy Hash: 4DF03AB19941268B9672BF58F82186C3B78BF18770700054AF5D4D72BDC77E0921BBA4

Function 00FD95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FD95D4
StrokeAndFillPath.GDI32(?,?,010171F7,00000000,?,?,?), ref: 00FD95F0
SelectObject.GDI32(?,00000000), ref: 00FD9603
DeleteObject.GDI32 ref: 00FD9616
StrokePath.GDI32(?), ref: 00FD9631

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ea526617203c95f48f53449e1aeddf87dbba1333ded96d8446ba345867cd10a6
Instruction ID: f80e624da2290eee8142b708211cd28c7f2fcb9617d255131c3866dc4e674be7
Opcode Fuzzy Hash: ea526617203c95f48f53449e1aeddf87dbba1333ded96d8446ba345867cd10a6
Instruction Fuzzy Hash: 90F08C30109305ABEB324FA5EA0C7653B66FB01372F088314F4A5551E8CB7A8991EF20

Function 00FF0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FF10F9
__freea.LIBCMT ref: 00FF1117

Part of subcall function 00FF1537: _free.LIBCMT ref: 00FF154F

Strings

a/p, xrefs: 00FF11DE
am/pm, xrefs: 00FF117A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 85fdf72daf1dae6a87564b34e0e871f471321f03e0c2560f677e67fc458ccba5
Instruction ID: 72a914e65cc5cf7e90d6e2360b7f7b494bf4834d24f85fcb85d6548846b4ccb1
Opcode Fuzzy Hash: 85fdf72daf1dae6a87564b34e0e871f471321f03e0c2560f677e67fc458ccba5
Instruction Fuzzy Hash: 48D1F132D0420ECADB289F68C855BFAB7B5FF05720F280159EB01AB671D7759D80EB91

Function 01047B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0242: EnterCriticalSection.KERNEL32(0109070C,01091884,?,?,00FD198B,01092518,?,?,?,00FC12F9,00000000), ref: 00FE024D
Part of subcall function 00FE0242: LeaveCriticalSection.KERNEL32(0109070C,?,00FD198B,01092518,?,?,?,00FC12F9,00000000), ref: 00FE028A

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 00FE00A3: __onexit.LIBCMT ref: 00FE00A9

__Init_thread_footer.LIBCMT ref: 01047BFB

Part of subcall function 00FE01F8: EnterCriticalSection.KERNEL32(0109070C,?,?,00FD8747,01092514), ref: 00FE0202
Part of subcall function 00FE01F8: LeaveCriticalSection.KERNEL32(0109070C,?,00FD8747,01092514), ref: 00FE0235

Strings

5, xrefs: 01047C78
Variable must be of type 'Object'., xrefs: 01047C3A
G, xrefs: 01047C7F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f55fca800e16259770b1ef15fbce183d9bf57a4a4c469c97c85fe8a7c183c82e
Instruction ID: c9e2164b68d1e774368cbbd3842d1076a03a47fe38ffc55b5f9706e7d0ca3808
Opcode Fuzzy Hash: f55fca800e16259770b1ef15fbce183d9bf57a4a4c469c97c85fe8a7c183c82e
Instruction Fuzzy Hash: 68918EB1A00209EFCB15EF98D990DADBBB1FF44304F0480ADF9865B291DB71AE45DB51

Function 01022716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0102B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010221D0,?,?,00000034,00000800,?,00000034), ref: 0102B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01022760

Part of subcall function 0102B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0102B3F8

Part of subcall function 0102B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0102B355
Part of subcall function 0102B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01022194,00000034,?,?,00001004,00000000,00000000), ref: 0102B365
Part of subcall function 0102B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01022194,00000034,?,?,00001004,00000000,00000000), ref: 0102B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0102281A

Strings

@, xrefs: 01022832

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4e2d67942afb958d3c53ee9e712a54eee62b4f3f2dbe662dcd6aa37c0b1e2986
Instruction ID: 2ff18934a30ca6a78b7bc4e93f5192b1116fb8e91c737d5ed05faaab454efa2c
Opcode Fuzzy Hash: 4e2d67942afb958d3c53ee9e712a54eee62b4f3f2dbe662dcd6aa37c0b1e2986
Instruction Fuzzy Hash: 08412F72900229AFDB10DFA4CD85FDEBBB8EF19700F108095EA95B7180DA716E45CB61

Function 00FF172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FF1769
_free.LIBCMT ref: 00FF1834
_free.LIBCMT ref: 00FF183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FF1760, 00FF1767, 00FF1796, 00FF17CE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 9df92f6a055baba808c5350048e08a5f0f20f4df1974a71b263d1f85dcb87b21
Instruction ID: 2075f4d73c826e748305919f1afbdd421ed24eab342bef83316e25a03a0c72ad
Opcode Fuzzy Hash: 9df92f6a055baba808c5350048e08a5f0f20f4df1974a71b263d1f85dcb87b21
Instruction Fuzzy Hash: 0B318172E0021CEBDB21EB999D81DAEBBBCFF85360F1441A6F60497221D6754A40EB90

Function 0102C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0102C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0102C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01091990,018B6488), ref: 0102C395

Strings

0, xrefs: 0102C2DF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 21cbbf032f2fe9ac569abe3a71c5172b4c1ead7f77f906ea0ec3ba2cc6efad80
Instruction ID: 932fd176a538bfd145a14d7148d12cf9d1caed34f5065f29ab7843383e3990ec
Opcode Fuzzy Hash: 21cbbf032f2fe9ac569abe3a71c5172b4c1ead7f77f906ea0ec3ba2cc6efad80
Instruction Fuzzy Hash: 4041B1712043529FE720DF29D944B6EBBE8AF85310F008A5EF9E5972D1D774EA04CB52

Function 01054416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0105CC08,00000000,?,?,?,?), ref: 010544AA
GetWindowLongW.USER32 ref: 010544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010544D7

Strings

SysTreeView32, xrefs: 0105447C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c7feb06b12c225732fc9be489bee18b4429d30318f59d59cc39aa6c79f027d64
Instruction ID: bb06c91960bfbaa25c410d36341b863104c9563076216457b68ab5e3e589c7bf
Opcode Fuzzy Hash: c7feb06b12c225732fc9be489bee18b4429d30318f59d59cc39aa6c79f027d64
Instruction Fuzzy Hash: 65319E31244205ABEFA18E78DC45BDB7BA9EB08338F204715FDB5E21D1EB74E8909B50

Function 0104304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01043077,?,?), ref: 01043378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
_wcslen.LIBCMT ref: 0104309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01043106

Strings

255.255.255.255, xrefs: 01043095, 0104309A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3421f1a6d43b1c57787d0d44edd3389d98b6a78ea19bd3033320f47d1f5649de
Instruction ID: 5bec164fb2ef510cd8dd5896452e8b6de167e3a13e271a85ead86bc06ed7f792
Opcode Fuzzy Hash: 3421f1a6d43b1c57787d0d44edd3389d98b6a78ea19bd3033320f47d1f5649de
Instruction Fuzzy Hash: 5F31EFB52042119FDB20CF28C5C5EAA7BF0FF14318F2491A9E9958F3A2CB72E941C760

Function 01053EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01053F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01053F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01053F78

Strings

SysMonthCal32, xrefs: 01053F0B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0449927e36fb89c5e63b3ace5555b906815477471a23d3ae8ce5e568062b90b7
Instruction ID: 06ab2fb12e775e9ea2de5201e8d2733815b938335bde68ab92d50bd7ae7a8691
Opcode Fuzzy Hash: 0449927e36fb89c5e63b3ace5555b906815477471a23d3ae8ce5e568062b90b7
Instruction Fuzzy Hash: 85219F32640219BBEF229E54CC46FEB3BB9FB48754F110254FE95AB1C0D6B5A850DBA0

Function 01054653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01054705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01054713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0105471A

Strings

msctls_updown32, xrefs: 01054684

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9cb0a9cda91d15954b9cb040c5652300088b93ed98701c73f6114b79e4012803
Instruction ID: 1d4e5d2bb6ba4fe52ee7f0981309364fa1e87d3b45bdf5a37cade5141f6f83dd
Opcode Fuzzy Hash: 9cb0a9cda91d15954b9cb040c5652300088b93ed98701c73f6114b79e4012803
Instruction Fuzzy Hash: 1F218CB5604209AFEB51DF68DCC1DAB37EDEB4A3A4B000049FA40DB251DB75EC51CB60

Function 010295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102961D

Strings

#OnAutoItStartRegister, xrefs: 010295F3
#notrayicon, xrefs: 010295B7
#requireadmin, xrefs: 010295D9

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 92f4ad4adfe281ded0b4e0d6a7fff5f4d676cca458da410ad6791c3168e27de9
Instruction ID: fc1cb6f1615fb8270d207ed4b9ae83ef3b34fe7bff00954eb7638a93d72049a7
Opcode Fuzzy Hash: 92f4ad4adfe281ded0b4e0d6a7fff5f4d676cca458da410ad6791c3168e27de9
Instruction Fuzzy Hash: D621AD3220423166E330BB29DC06FBB73DD9F95308F40402AFAC99B042EB58A941D3D1

Function 010537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01053840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01053850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01053876

Strings

Listbox, xrefs: 0105380F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 445ae687424112b40bc90dfb38b8901873ae6871d80b429a6ff34dd828b53559
Instruction ID: a45aabc3409b209e67772be77693ad3c7118574fd750f2033cb9fef94fba0380
Opcode Fuzzy Hash: 445ae687424112b40bc90dfb38b8901873ae6871d80b429a6ff34dd828b53559
Instruction Fuzzy Hash: 1B21C232600218BBEF628E69CC45FBB37AEFF89790F108154FD909B190C676DC5287A0

Function 010349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01034A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01034A5C
SetErrorMode.KERNEL32(00000000,?,?,0105CC08), ref: 01034AD0

Strings

%lu, xrefs: 01034A6F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f1ec5e98b3a26af9f77a6649fdc55a4342af8f1f3c6a3416cc2b70674ae6047b
Instruction ID: 5878fce4d41e3be044c3b470a421674c57d96c8aa98b4be13f0690141eae28eb
Opcode Fuzzy Hash: f1ec5e98b3a26af9f77a6649fdc55a4342af8f1f3c6a3416cc2b70674ae6047b
Instruction Fuzzy Hash: 7E315E71A00209AFDB10DF54C985EAA7BF8EF48308F1480A9E949DF252D775ED46CB61

Function 010541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0105424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01054264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01054271

Strings

msctls_trackbar32, xrefs: 01054226

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ae7705aeb16db7a903e6b66cb8ce6bdbb28850fc3a3e9dfb30adb743840aea6
Instruction ID: c88558bb840f3568a585a652880a106d19109d9b477f517bb18787fbf7f4f156
Opcode Fuzzy Hash: 7ae7705aeb16db7a903e6b66cb8ce6bdbb28850fc3a3e9dfb30adb743840aea6
Instruction Fuzzy Hash: 7511C631240348BEEF615E69CC46FEB3BACEF85B64F114514FE95E6090D271D8519B24

Function 01022F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Part of subcall function 01022DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01022DC5
Part of subcall function 01022DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01022DD6
Part of subcall function 01022DA7: GetCurrentThreadId.KERNEL32 ref: 01022DDD
Part of subcall function 01022DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01022DE4

GetFocus.USER32 ref: 01022F78

Part of subcall function 01022DEE: GetParent.USER32(00000000), ref: 01022DF9

GetClassNameW.USER32(?,?,00000100), ref: 01022FC3
EnumChildWindows.USER32(?,0102303B), ref: 01022FEB

Strings

%s%d, xrefs: 01022FFF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 09d92d404c98d90540864b93d3f1c40ef5ef360e474cf10b07f70ca5fe1f88bd
Instruction ID: 7e4952978d914b6301455869c4a395c666c96c15059a7a269833931186906646
Opcode Fuzzy Hash: 09d92d404c98d90540864b93d3f1c40ef5ef360e474cf10b07f70ca5fe1f88bd
Instruction Fuzzy Hash: 3811D2716002166BDF50BFB48DD5EEE37AAAF98304F044079FD499B242DE3899098B70

Function 01055882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010558EE
DrawMenuBar.USER32(?), ref: 010558FD

Strings

0, xrefs: 0105588F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 616d06190e5fcf2f265ef90fd60b42d2141ed7c39d5255eea021ffa453838e51
Instruction ID: 1dd77153000ad00130a6ac6b7b6de0376c3faaba2fb4673c87f4f1933ce12a6d
Opcode Fuzzy Hash: 616d06190e5fcf2f265ef90fd60b42d2141ed7c39d5255eea021ffa453838e51
Instruction Fuzzy Hash: B2016131500218AFDB619F55DC44BAFBBB9FB45364F048099E889D6251DB348A84DF61

Function 0101D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0101D3BF
FreeLibrary.KERNEL32 ref: 0101D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0101D3B9
X64, xrefs: 0101D2A8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: d7ed90a4c88483248fbe65d84a97ea4b3c379c573aade55f8c2c05c19f54bede
Instruction ID: b6dfd4901c6b8ff6e9a1d4726e2b34e6ca786d8105251167d40b9e8a623aff27
Opcode Fuzzy Hash: d7ed90a4c88483248fbe65d84a97ea4b3c379c573aade55f8c2c05c19f54bede
Instruction Fuzzy Hash: 3AF05C7200531197E7B452548C9C9AE3718BF12715F44C18AE0D3F104DCB3CC540C785

Function 0102007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ea02057f1d6a30876e026698e005257b356104e48ac8180fce1b5fb07204a8
Instruction ID: 0be4515f94894a95ba8bd3b87cb365e250b41f67b7cd48a451182c11181d5197
Opcode Fuzzy Hash: d8ea02057f1d6a30876e026698e005257b356104e48ac8180fce1b5fb07204a8
Instruction Fuzzy Hash: E3C15B75A0021AEFDB14CFA8C884AAEBBB9FF48704F208599F545EB255D731ED41CB90

Function 00FF3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FF3F0B
__alldvrm.LIBCMT ref: 00FF410C
__alldvrm.LIBCMT ref: 00FF412E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2b7027e846b0f6f2f0bc2e31333edb290ec2d9565d66f1d30de4da68da649eef
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A8A15972D0038A9FEB26DF18C8917BFBBE4EF61360F14416DE6859B2A1C638A941D750

Function 0104342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01043459
CoUninitialize.OLE32 ref: 01043463
VariantInit.OLEAUT32(?), ref: 0104346E
VariantClear.OLEAUT32(?), ref: 0104371B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0f78c019b3bce08202bfd699428d890e2b0b39eed1c79e891f852de8dca30fce
Instruction ID: 368889bcebccb9c232afd57efd910653a6b9d96022c1082003f9aa9ae1d6716a
Opcode Fuzzy Hash: 0f78c019b3bce08202bfd699428d890e2b0b39eed1c79e891f852de8dca30fce
Instruction Fuzzy Hash: D7A137752043119FD710EF28C985A2ABBE5FF88314F08885DF98A9B361DB35ED01DB91

Function 01020436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0105FC08,?), ref: 010205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0105FC08,?), ref: 01020608
CLSIDFromProgID.OLE32(?,?,00000000,0105CC40,000000FF,?,00000000,00000800,00000000,?,0105FC08,?), ref: 0102062D
_memcmp.LIBVCRUNTIME ref: 0102064E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 497965705cadaef097f8ae0f0781ec86a54b8c01d7717c07b43586492d41f4d3
Instruction ID: ced5567843407ee112d180f357f685bed23cf182342c689d18a3009ad9bc2e97
Opcode Fuzzy Hash: 497965705cadaef097f8ae0f0781ec86a54b8c01d7717c07b43586492d41f4d3
Instruction Fuzzy Hash: 25815071A00219EFCB04DF94C988EEEB7B9FF89315F204598F546AB254DB71AE05CB60

Function 0104A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0104A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0104A6BA

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0104A79C
CloseHandle.KERNEL32(00000000), ref: 0104A7AB

Part of subcall function 00FDCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01003303,?), ref: 00FDCE8A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bda95046a615943340c998abe2ec74f6721fa02008c075686354844d11121dc2
Instruction ID: f0b2b772cb85bf416c70cb1a2541c179a72cf25585b3b6ac68e39768965945e0
Opcode Fuzzy Hash: bda95046a615943340c998abe2ec74f6721fa02008c075686354844d11121dc2
Instruction Fuzzy Hash: F3515AB1508301AFD710EF24C986E6BBBE8FF89714F40492DF58697291EB35D904CB92

Function 01001391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010014C0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd326112c5786cc68e1aad10b544c2e36f6e9bf5c274c0ee6569ece6e748d7f2
Instruction ID: 6a91ccc7e237350db23c32672a40b31e5b8034d3b18d9b90e40751d17e4e44a4
Opcode Fuzzy Hash: bd326112c5786cc68e1aad10b544c2e36f6e9bf5c274c0ee6569ece6e748d7f2
Instruction Fuzzy Hash: F0414631A00205ABFB23AABD8C45BBE3AE4EF41330F154265F658971E2EF79C4416262

Function 01056278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010562E2
ScreenToClient.USER32(?,?), ref: 01056315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01056382

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f3eeabe7fce9bb70d79d3acbab7432df873b0add823de7b7d481e6a8e0d3f658
Instruction ID: 5fc9d20a75f183dc8af542d1b241d03fc14bea7e21bf80b713219b8c9ce26f9f
Opcode Fuzzy Hash: f3eeabe7fce9bb70d79d3acbab7432df873b0add823de7b7d481e6a8e0d3f658
Instruction Fuzzy Hash: D5515C70A00209EFDFA1CF58D980AAF7BF5FB45360F508199F9959B292D732E981CB50

Function 01041AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01041AFD
WSAGetLastError.WSOCK32 ref: 01041B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01041B8A
WSAGetLastError.WSOCK32 ref: 01041B94

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 523e3bbc49d36204cfa832cf857e87874d2089ae518867c0d81bf65e184ab8c4
Instruction ID: e4cb7a9ca8c49f5e35b1a517a4c62c4f1450491dddf1b88055fcf5c0fbba57a5
Opcode Fuzzy Hash: 523e3bbc49d36204cfa832cf857e87874d2089ae518867c0d81bf65e184ab8c4
Instruction Fuzzy Hash: AF41B2746003016FE720AF24C986F2A7BE5AB44718F54849CFA5A9F3C2D676ED818B90

Function 00FFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fce14e6c8cafb1f75b4031ec118ba4a736ec5ed3e97d914e410b5da28e9559c
Instruction ID: 64117a5a64c19083e338ed2d629bb6943907866e0835a3db4990418b31168776
Opcode Fuzzy Hash: 3fce14e6c8cafb1f75b4031ec118ba4a736ec5ed3e97d914e410b5da28e9559c
Instruction Fuzzy Hash: 96410B76900748AFD724DF38CC41BBA7BA9EF84720F10452AF251DB691D77599019B90

Function 010356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01035783
GetLastError.KERNEL32(?,00000000), ref: 010357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010357FA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1b484912ae6a401dde589ccb686ef490d13793cfd00427af1a97614fea848075
Instruction ID: fe1c1b41a3ff22f704ceade936c011008234925befbc3e0839f21a69175582d1
Opcode Fuzzy Hash: 1b484912ae6a401dde589ccb686ef490d13793cfd00427af1a97614fea848075
Instruction Fuzzy Hash: 7B414F39600611DFCB11EF15C945A5EBBE5EF89320B188888E84A6B366CB35FD01DF91

Function 00FFD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FE6D71,00000000,00000000,00FE82D9,?,00FE82D9,?,00000001,00FE6D71,8BE85006,00000001,00FE82D9,00FE82D9), ref: 00FFD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FFD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FFD9AB
__freea.LIBCMT ref: 00FFD9B4

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7c62f54f5a8de592c0e94589bbf6ffb18401886169a6a0a57e3b2dc770f66687
Instruction ID: 95f72d93f5b0d77c6d0ba962940be430b4958368d00eb7fc78f532c981e887db
Opcode Fuzzy Hash: 7c62f54f5a8de592c0e94589bbf6ffb18401886169a6a0a57e3b2dc770f66687
Instruction Fuzzy Hash: E631CE72A0020EABDB259FA5DC45EBE7BA6EF41760F050168FD04D6160EB79CD50EBA0

Function 0102AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0102AAAC
SetKeyboardState.USER32(00000080), ref: 0102AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0102AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0102AB88

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7c9c10074833e02d3242985475d368452044fda7086bd36f84ff0dde66d71398
Instruction ID: a0225fc4290b8eca5e7a3b2a1e1b556d79d9620eb2e80f081cd7ed1188fb4fe6
Opcode Fuzzy Hash: 7c9c10074833e02d3242985475d368452044fda7086bd36f84ff0dde66d71398
Instruction Fuzzy Hash: EE312A30B40328EEFF368A68C808BFE7BEAAF44310F04469AE5C5579D2DB758585C761

Function 010552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01055352
GetWindowLongW.USER32(?,000000F0), ref: 01055375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01055382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010553A8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 25df0896bd9a1899cc8938fd4415a52a2aed18be82e6fe8c311760f3de133bb2
Instruction ID: 75d9220f64e9d5312b9a40fc3f2db3631ab8a75c69c2fff6ea8951b67a38564c
Opcode Fuzzy Hash: 25df0896bd9a1899cc8938fd4415a52a2aed18be82e6fe8c311760f3de133bb2
Instruction Fuzzy Hash: 4731C434A55208EFFBF48E58CC05BEA3BA5AB04350F48C151FED9961D2C7B5AA80DB52

Function 01057674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0105769A
GetWindowRect.USER32(?,?), ref: 01057710
PtInRect.USER32(?,?,01058B89), ref: 01057720
MessageBeep.USER32(00000000), ref: 0105778C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f09d56f59c9ff5a3f38d71bd459fbc3da64c5a7386018102f806a79267300f0e
Instruction ID: 92597dc3a88f82dcd8e082462c71cd736eab5585e7cafac1fc1f805499611316
Opcode Fuzzy Hash: f09d56f59c9ff5a3f38d71bd459fbc3da64c5a7386018102f806a79267300f0e
Instruction Fuzzy Hash: 9B41BF34601209EFDB92CF58E498EAA7BF4FF49314F4440E8E9949B255C331E941DF90

Function 010516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010516EB

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

GetCaretPos.USER32(?), ref: 010516FF
ClientToScreen.USER32(00000000,?), ref: 0105174C
GetForegroundWindow.USER32 ref: 01051752

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e8b09edd048a90120d70e915cd38147c59c728113f29a21cbe6bc7cc7bc87b01
Instruction ID: 74d5596b3c1afd704519a167e9108fd4e795d8607ad56c0d76387b92443108b9
Opcode Fuzzy Hash: e8b09edd048a90120d70e915cd38147c59c728113f29a21cbe6bc7cc7bc87b01
Instruction Fuzzy Hash: C7313D75D00249AFDB00EFA9C981DAEBBFDFF48204B5080AEE455E7201DB359E45CBA0

Function 0102DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

_wcslen.LIBCMT ref: 0102DFCB
_wcslen.LIBCMT ref: 0102DFE2
_wcslen.LIBCMT ref: 0102E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0102E018

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: f3b34a9b267624daadc50b9ec166458fade19f30ae794643b93478a70da940ff
Instruction ID: 95201a1699ac5e59035073880438aead9c692ea35cef33e9dd9c81587580b677
Opcode Fuzzy Hash: f3b34a9b267624daadc50b9ec166458fade19f30ae794643b93478a70da940ff
Instruction Fuzzy Hash: 3C21D371900224AFCB219FA8DD81BAEB7F8EF45710F1440A9F944BB246D6789E418BA1

Function 01058FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

GetCursorPos.USER32(?), ref: 01059001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01017711,?,?,?,?,?), ref: 01059016
GetCursorPos.USER32(?), ref: 0105905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01017711,?,?,?), ref: 01059094

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 165e5bd2c6c2dfdc839487b4c4f87bfb2c87773b7afd48686e2383070e96c7cd
Instruction ID: 9cb118b69f2858dfe64353258ea2cbfc61af8ae51feef5f4e46cb83b6f38884d
Opcode Fuzzy Hash: 165e5bd2c6c2dfdc839487b4c4f87bfb2c87773b7afd48686e2383070e96c7cd
Instruction Fuzzy Hash: 51219135600118FFEB658F98C858EEB7BF9FB49364F044495FA8547251C3369990EB60

Function 0102D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0105CB68), ref: 0102D2FB
GetLastError.KERNEL32 ref: 0102D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0102D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0105CB68), ref: 0102D376

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c047456eb4460d8440e0a095579aed3bd29f15526f4fecf3062275dbbf764add
Instruction ID: 1344b874547442a1576d1a4ef7a4fc1fd9ad3a15001eb148874b79e7d709b27e
Opcode Fuzzy Hash: c047456eb4460d8440e0a095579aed3bd29f15526f4fecf3062275dbbf764add
Instruction Fuzzy Hash: 3221D1705083129F9310DF68C9858AF7BE8EE56364F108A5DF4D9C7291D731DD49CB92

Function 01021571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01021014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0102102A
Part of subcall function 01021014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01021036
Part of subcall function 01021014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021045
Part of subcall function 01021014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0102104C
Part of subcall function 01021014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010215BE
_memcmp.LIBVCRUNTIME ref: 010215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01021617
HeapFree.KERNEL32(00000000), ref: 0102161E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c1cb4f38e629f7c7f297ea23309b30e65607bdb136d445d24408a1464e6fc85f
Instruction ID: 4aaed2ca57ea1de82ab5bc9df9d8903ce51dbf1e67dfd44da2d91b179c47b79e
Opcode Fuzzy Hash: c1cb4f38e629f7c7f297ea23309b30e65607bdb136d445d24408a1464e6fc85f
Instruction Fuzzy Hash: 27219031E00219EFDF10CFA8C948BEEBBF8EF44354F184499E585A7240D735AA05CB50

Function 01052782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0105280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01052824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01052832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01052840

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f56ec5742d138b0896b10211b311dc46566a93275d0878aedaacd68a3dfd44d2
Instruction ID: 969c488644234ff1612b2d200b38514a0113b624c96965310aeeb23e8eb14cff
Opcode Fuzzy Hash: f56ec5742d138b0896b10211b311dc46566a93275d0878aedaacd68a3dfd44d2
Instruction Fuzzy Hash: D321F135205211EFE754DB24C845FAB7B99EF45328F148158F8A68B6D2C776EC82C7D0

Function 0103CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0103CE89
GetLastError.KERNEL32(?,00000000), ref: 0103CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0103CEFE

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bdd58702b5b516df6bf66be87b0dd4ee23bd6a40b143a8bac5a7e6810c677641
Instruction ID: 44b7f7579f2d4e06348de63256a94043e59647406c2f26f0fb0a2c3fe8bfac48
Opcode Fuzzy Hash: bdd58702b5b516df6bf66be87b0dd4ee23bd6a40b143a8bac5a7e6810c677641
Instruction Fuzzy Hash: 6721BD715003059FF730DF69CA48BABBBFCEB80354F10445EE686E2142E775EA048B60

Function 010278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01028D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0102790A,?,000000FF,?,01028754,00000000,?,0000001C,?,?), ref: 01028D8C
Part of subcall function 01028D7D: lstrcpyW.KERNEL32(00000000,?,?,0102790A,?,000000FF,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01028DB2
Part of subcall function 01028D7D: lstrcmpiW.KERNEL32(00000000,?,0102790A,?,000000FF,?,01028754,00000000,?,0000001C,?,?), ref: 01028DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01027923
lstrcpyW.KERNEL32(00000000,?,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01027949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01027984

Strings

cdecl, xrefs: 0102797B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 158bef9a6aa1261b846548b5817782154cae9b63e6c4e699a1d0bab71b01dc93
Instruction ID: 9f66daf7eea92931e9821e607a35c2677ff5576a14c3dc461593b09c14d85b08
Opcode Fuzzy Hash: 158bef9a6aa1261b846548b5817782154cae9b63e6c4e699a1d0bab71b01dc93
Instruction Fuzzy Hash: 4C11293A300312ABDB256F38C844D7B77E9FF55350B00402AF986CB364EB329801C751

Function 01057CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01057D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01057D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01057D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0103B7AD,00000000), ref: 01057D6B

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6aa202f2e4f395b91c94108beebf1694692ab58a051640b7a280bc0d67b50cea
Instruction ID: 15fb8d309dce822ab707f8654a5ec2c256ccb40bfd056269c540bc355ccd2e8a
Opcode Fuzzy Hash: 6aa202f2e4f395b91c94108beebf1694692ab58a051640b7a280bc0d67b50cea
Instruction Fuzzy Hash: 3B11F032200615AFDBA09F2CCC04A6B3BA9FB45370B514324FDB5C72E0D7328950EB60

Function 01055660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010556BB
_wcslen.LIBCMT ref: 010556CD
_wcslen.LIBCMT ref: 010556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01055816

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 1bd50cc5b6b2fc972b0336d0cf3676c078ababbcfc0c3386a102632e1a637890
Instruction ID: 1951424a5522d1f7367a65529bb7afd98e7c3932238886d7b7cf6391b552d276
Opcode Fuzzy Hash: 1bd50cc5b6b2fc972b0336d0cf3676c078ababbcfc0c3386a102632e1a637890
Instruction Fuzzy Hash: 7B11B17160020996EFA09FA5DC85AEF7BBCFF05764B00406AFE95D6081EB749640CFB0

Function 00FF1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5bfc3761e41d799b11f7fef9d1b2350da203f66cb663a0a774f9554bbaada0
Instruction ID: 937ae52759bccefeb728a6163fed1d97d0d43bd02996e3abe81b1c76373d7e84
Opcode Fuzzy Hash: 6e5bfc3761e41d799b11f7fef9d1b2350da203f66cb663a0a774f9554bbaada0
Instruction Fuzzy Hash: A801ADB260A61EBEF72125786CC0F3B762DEF423B8B340329F721A11E5DB658C007264

Function 01021A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01021A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A8A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4189b309e5a76ac91201e5b46e8f98ace0ddba22304051c9ed3839c94d0bd66c
Instruction ID: ff4a8a493b0f23d017302b36c77e9dbaffa0023c145c5dd4c44da214b08c8f70
Opcode Fuzzy Hash: 4189b309e5a76ac91201e5b46e8f98ace0ddba22304051c9ed3839c94d0bd66c
Instruction Fuzzy Hash: F9110C3AD00229FFEB11DBA5C985FADFBB8FB08750F200091E644B7290D6716E51DB94

Function 0102E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0102E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0102E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0102E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0102E24D

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f9ea8a2516c003674340cc0f445045619a2605dd3e8e5cca68ab7f656b50fb85
Instruction ID: 19767be8447e59052059ec416c8d4a70fa739453ac8cb91361acf3b851964a2e
Opcode Fuzzy Hash: f9ea8a2516c003674340cc0f445045619a2605dd3e8e5cca68ab7f656b50fb85
Instruction Fuzzy Hash: 0D110C71A04359BFD7119FA8DD09A9F7FACEB46220F008255F955E3284D2B589048760

Function 00FED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FECFF9,00000000,00000004,00000000), ref: 00FED218
GetLastError.KERNEL32 ref: 00FED224
__dosmaperr.LIBCMT ref: 00FED22B
ResumeThread.KERNEL32(00000000), ref: 00FED249

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a0a906d888b03a6a9feae11351f587239bd0c1452d511eb86f41f039444e9b57
Instruction ID: 81b0b14119ce1ade1e71acfa9d3b4be365ea80f3cc04aadcae8f3cc528956beb
Opcode Fuzzy Hash: a0a906d888b03a6a9feae11351f587239bd0c1452d511eb86f41f039444e9b57
Instruction Fuzzy Hash: 2201F936805288BBD7215BA7DC05BAF7B6DDF81730F104259FA25925D0DF75C901E7A0

Function 01059EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

GetClientRect.USER32(?,?), ref: 01059F31
GetCursorPos.USER32(?), ref: 01059F3B
ScreenToClient.USER32(?,?), ref: 01059F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01059F7A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d3632bef8d7902ad8f8f9652160fe65fc2156b407aa45b9efb2c170c820036fa
Instruction ID: 33bf72fc92ada6eeb5889cbfeca81846409367af6cb81b17fd5210bfec25f3e6
Opcode Fuzzy Hash: d3632bef8d7902ad8f8f9652160fe65fc2156b407aa45b9efb2c170c820036fa
Instruction Fuzzy Hash: B011483290021AEBDF50DFA8C8899EF7BB9FB45315F400451F981E3140D335BA81CBA1

Function 00FC600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
GetStockObject.GDI32(00000011), ref: 00FC6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d3b6800dd71f4fb2895a796615c03272c5c64b961f93071839f1ddc207d10459
Instruction ID: 72f97511b8928669d90ae0f5f50cb3a71bde366d758f9ceb99b4658fb9ad0cdc
Opcode Fuzzy Hash: d3b6800dd71f4fb2895a796615c03272c5c64b961f93071839f1ddc207d10459
Instruction Fuzzy Hash: C3118E7250560ABFEF224F948D45FEA7B6DFF08364F000115FA04A2000C7369C60ABA0

Function 00FE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FE3B56

Part of subcall function 00FE3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FE3AD2
Part of subcall function 00FE3AA3: ___AdjustPointer.LIBCMT ref: 00FE3AED

_UnwindNestedFrames.LIBCMT ref: 00FE3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FE3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FE3BA4

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 825e645a79ac3ece8169eb8bd2b9bb841a3d90a7b004d782c84c51b6eb440ce7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 54014032500189BBDF125E96CC4ADEB3F6DFF88754F044058FE4896121C736E961EBA0

Function 00FF3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FC13C6,00000000,00000000,?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue), ref: 00FF30A5
GetLastError.KERNEL32(?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue,01062290,FlsSetValue,00000000,00000364,?,00FF2E46), ref: 00FF30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue,01062290,FlsSetValue,00000000), ref: 00FF30BF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 490e0acce2951e960d81eca62ebae9fc92611ae47bde9cd0752e64fe68f818ed
Instruction ID: ee839804e09a3a17c0992c15271db26ffd4542258e3810f8f482ae826047071b
Opcode Fuzzy Hash: 490e0acce2951e960d81eca62ebae9fc92611ae47bde9cd0752e64fe68f818ed
Instruction Fuzzy Hash: A001473270132AABDB304A789C44E777B9CEF05BB4B100621FA45E3254DF26DA01D7E0

Function 01027464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0102747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01027497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010274CA

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d9a39f48b92bd5da6b08e0daf04a04bd3f6bcdabd479b32c4a02181bf0e42304
Instruction ID: 7556b7f3a5663cf406e144fc6d14467fa2bdd21451dc824e94253858fc94a8b4
Opcode Fuzzy Hash: d9a39f48b92bd5da6b08e0daf04a04bd3f6bcdabd479b32c4a02181bf0e42304
Instruction Fuzzy Hash: FE118BB5201320ABF7308F14DD08FA67FFCEB00B04F008569E696D6181DBB5E904CBA1

Function 0102B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B126

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 41b710229045498fe8d2c086e41581933501d69b05225a73cf4e7345f68cae6c
Instruction ID: fb33b0d7d1e937f922553ee362e5017bfaad3eb9243538435023be46324feaee
Opcode Fuzzy Hash: 41b710229045498fe8d2c086e41581933501d69b05225a73cf4e7345f68cae6c
Instruction Fuzzy Hash: 58113931C01629E7DF11AFE4E9986EEBFB8FF0A711F504086E981B2285CB3996508B55

Function 01057E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01057E33
ScreenToClient.USER32(?,?), ref: 01057E4B
ScreenToClient.USER32(?,?), ref: 01057E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01057E8A

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4066c0b740e7ae955e46f5a6b9751c24b9ca1fe3610084a0b223e03a3f8fe276
Instruction ID: e568d8caa0eba89b78b4cf4b64daced9c4eae3c38b3658fac0352487cdefa7a7
Opcode Fuzzy Hash: 4066c0b740e7ae955e46f5a6b9751c24b9ca1fe3610084a0b223e03a3f8fe276
Instruction Fuzzy Hash: 7F1142B9D0020AAFDB51CF98C584AEEBBF9FF08310F509066E955E3214D735AA54DF90

Function 01022DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01022DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01022DD6
GetCurrentThreadId.KERNEL32 ref: 01022DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01022DE4

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 260dfbdfd573fb5f368c6ec1a7b8305734f0ba2320755eca3cc79f3630907840
Instruction ID: 0e7c5c3577205f400a5fbc757875344ff7bb0714b850363c8c621912150291eb
Opcode Fuzzy Hash: 260dfbdfd573fb5f368c6ec1a7b8305734f0ba2320755eca3cc79f3630907840
Instruction Fuzzy Hash: 39E092721013347BE7302AB69D0DFEB3EACEF47BA1F000015F245D50809AAAD540C7B0

Function 01058863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96A2
Part of subcall function 00FD9639: BeginPath.GDI32(?), ref: 00FD96B9
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01058887
LineTo.GDI32(?,?,?), ref: 01058894
EndPath.GDI32(?), ref: 010588A4
StrokePath.GDI32(?), ref: 010588B2

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e9694a11348cabed0155245296ab43b4f821a0eac7eab300386823e10652c3c5
Instruction ID: f572d8dd77a1b462a595137e8a792507b533477bfaec4c1637ede9a3f07d33ab
Opcode Fuzzy Hash: e9694a11348cabed0155245296ab43b4f821a0eac7eab300386823e10652c3c5
Instruction Fuzzy Hash: C2F09A36001319BAEB222E94AD09FCB3F5DAF06320F048001FE91610C5C3BA5110CBA9

Function 00FD98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FD98CC
SetTextColor.GDI32(?,?), ref: 00FD98D6
SetBkMode.GDI32(?,00000001), ref: 00FD98E9
GetStockObject.GDI32(00000005), ref: 00FD98F1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 72b96a4842e01d3b19c37d29bd6070caca7da94282854eeefea9bdeeba8c96cb
Instruction ID: d49cabd6abcf88491c97ae853327cc0aa9056cf820c501841a6239c1f1409b0b
Opcode Fuzzy Hash: 72b96a4842e01d3b19c37d29bd6070caca7da94282854eeefea9bdeeba8c96cb
Instruction Fuzzy Hash: C1E06531244380AAEB315B78A909BD93F55AB02335F088219F7F9540D5C7764240DB11

Function 0102162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01021634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010211D9), ref: 0102163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010211D9), ref: 01021648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010211D9), ref: 0102164F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1e51ec227962b63eedc36be0268cf6ce6774e20619723c89ba9527f75ac8142b
Instruction ID: 3156863338a1c52399aef8c244be26271891a64f410ee9b7c87bba6b37bfb90e
Opcode Fuzzy Hash: 1e51ec227962b63eedc36be0268cf6ce6774e20619723c89ba9527f75ac8142b
Instruction Fuzzy Hash: D7E08671602321ABE7701FA49F0DB4B3BBDEF45B91F144848F2C5C9084D6394040C750

Function 0101D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0101D858
GetDC.USER32(00000000), ref: 0101D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101D882
ReleaseDC.USER32(?), ref: 0101D8A3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9c4535fa121db15e342185bbb6d2ccb7a22d4e23201f1ebc0cf08d07dfcdd019
Instruction ID: 15bc655d60e8b96ee5da7f22c36bab3f2bacd7c387c8efb1b5a28d87e672d415
Opcode Fuzzy Hash: 9c4535fa121db15e342185bbb6d2ccb7a22d4e23201f1ebc0cf08d07dfcdd019
Instruction Fuzzy Hash: 2EE075B5800305DFDB519FA0960CA6EBBBAEB48711B149459E88AE7248C73D5A41EF60

Function 0101D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0101D86C
GetDC.USER32(00000000), ref: 0101D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101D882
ReleaseDC.USER32(?), ref: 0101D8A3

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b0555acbffb9704454f755d726630b6d7756ac5a0f549585164f7bed5d4d652a
Instruction ID: 51bd1eaeaf72a3cddfd219a381250ad2eaa6c50df360bc5e162ab0302453b3ca
Opcode Fuzzy Hash: b0555acbffb9704454f755d726630b6d7756ac5a0f549585164f7bed5d4d652a
Instruction Fuzzy Hash: 4DE09A75800305DFDF619FA0D60C66EBBB9FB48711B149449F98AE7244C73D6A01EF60

Function 01034D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01034ED4

Strings

*, xrefs: 01034E10
LPT, xrefs: 01034DFB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 31fdf4a9f3fd2043cce9a652e473f0a16c1e1a8f130391f4598760690e5349be
Instruction ID: 9e4a14efe0b6cd8b61fa12fe0e552a471dc1c933236c38d8aaa83225324a7678
Opcode Fuzzy Hash: 31fdf4a9f3fd2043cce9a652e473f0a16c1e1a8f130391f4598760690e5349be
Instruction Fuzzy Hash: 04918075A042049FDB54DF58C985EAABBF5AF84304F1880DDE84A9F362C735EE85CB90

Function 00FEE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FEE30D

Strings

pow, xrefs: 00FEE2E5, 00FEE302

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 47724aa1c1fdffc776c215996fe294be900f83be8ca12d6087e66c47f299c9dc
Instruction ID: 1ddb1af5322fb23a6bce1e37a10ecda1969eb4e980617507546ed0e4466336db
Opcode Fuzzy Hash: 47724aa1c1fdffc776c215996fe294be900f83be8ca12d6087e66c47f299c9dc
Instruction Fuzzy Hash: 8C517B71E0C34A96CB217B15DD013BEBB94AF40760F304969E1D5822FDEB398C95BB46

Function 00FDE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FDE1B1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f45562dfcf8fe15be206995c4b3c7fc23444ddbfef288f1c49212406896ba117
Instruction ID: 60e231c61417d205b777ea0a363f523e4493360f597326640877587207e16bf3
Opcode Fuzzy Hash: f45562dfcf8fe15be206995c4b3c7fc23444ddbfef288f1c49212406896ba117
Instruction Fuzzy Hash: 3A514735900246DFEB16EF28C881AFE7BE5FF55320F28405AEC919B2C4D6389D42D750

Function 00FDF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FDF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FDF2BB

Strings

@, xrefs: 00FDF2AF

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8e47e6b51d5272b6399c29aad1a824b49db464f11ae452f7d52c774c214f65f2
Instruction ID: 84d1cf6604af647f4f7511df386aab529ccf9db8e751df33870c4c7772703f95
Opcode Fuzzy Hash: 8e47e6b51d5272b6399c29aad1a824b49db464f11ae452f7d52c774c214f65f2
Instruction Fuzzy Hash: 705145719087459BD320AF10DD86BAFBBFCFB84300F81885DF1D942195EB758529CBA6

Function 01045745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010457E0
_wcslen.LIBCMT ref: 010457EC

Strings

CALLARGARRAY, xrefs: 010457E6, 010457EB

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 05facef81d326124c6461780b520703b7852a525713168c8466730361bfb92c3
Instruction ID: 7e90b540e21a4f9c8b9b890081438c9dec5d17a151cb1233e7c4bd126e19839e
Opcode Fuzzy Hash: 05facef81d326124c6461780b520703b7852a525713168c8466730361bfb92c3
Instruction Fuzzy Hash: ED41C171E002099FDB04EFA8CC81DAEBBF5FF59320F24406DE545A7292EB349981CB90

Function 0103D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0103D13A

Strings

|, xrefs: 0103D10B

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a7eae823f96ab16de34f172c191b1b04c70f78d5b38685c683d60c66ecfd3043
Instruction ID: a225bb67ae1237cbd97527c5bc1f32956697b400263118e58025ac8b06743ea7
Opcode Fuzzy Hash: a7eae823f96ab16de34f172c191b1b04c70f78d5b38685c683d60c66ecfd3043
Instruction Fuzzy Hash: BB315B71D0020AABDF15EFA5CD85EEEBFB9FF04300F000059F815A6162E735AA16DB64

Function 0105356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01053621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0105365C

Strings

static, xrefs: 010535BC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fe7b1be5cecd50ebe17ab5b62b9542adc5293e5cef74f0814f2b64a8600414db
Instruction ID: 4adc91bc32dfacbfd1d744c85ef9336eaa3f5003585661819fc8093083b74245
Opcode Fuzzy Hash: fe7b1be5cecd50ebe17ab5b62b9542adc5293e5cef74f0814f2b64a8600414db
Instruction Fuzzy Hash: AC319C71100204AEEB609F28DC80FFB73A9FF88764F00961DFDA5DB280DA35A881D760

Function 01054537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0105461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01054634

Strings

', xrefs: 0105458E

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 123cfb7bb9f4d5ffd276a281955c4793b2fafb7e8ea73a703c51868e2192af7a
Instruction ID: 56bd8f6c4b85106946d9d294c8196892faa71d758ea697d5f884e1aa182eabea
Opcode Fuzzy Hash: 123cfb7bb9f4d5ffd276a281955c4793b2fafb7e8ea73a703c51868e2192af7a
Instruction Fuzzy Hash: C3311774A0120AAFDB54CF69C990BDA7BB5FB49304F104069EE44EB342E771A981CF90

Function 010531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0105327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01053287

Strings

Combobox, xrefs: 01053249

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9fa5a79bd3268555ed6eb49c26403ff8b633f4eb113b458f56930169d09b8fc4
Instruction ID: e0b075fbc0b67f98ddd3a3e392f306492e28c87e6aa9065ee36007dcbca4a28f
Opcode Fuzzy Hash: 9fa5a79bd3268555ed6eb49c26403ff8b633f4eb113b458f56930169d09b8fc4
Instruction Fuzzy Hash: F011D3713046096FFFA29E58DC80EBB379AFB483E4F104128F9949B291D6359C51C760

Function 01053710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
Part of subcall function 00FC600E: GetStockObject.GDI32(00000011), ref: 00FC6060
Part of subcall function 00FC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

GetWindowRect.USER32(00000000,?), ref: 0105377A
GetSysColor.USER32(00000012), ref: 01053794

Strings

static, xrefs: 01053757

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 844d6ad5b1c8cbf3f848e72dd41343fac47ecd3acf73530b3d1d9fbad84ddd63
Instruction ID: 9d6903e199f3e38eeae655cb1b7349c318d13b587e466e990d81ac697b2079f8
Opcode Fuzzy Hash: 844d6ad5b1c8cbf3f848e72dd41343fac47ecd3acf73530b3d1d9fbad84ddd63
Instruction Fuzzy Hash: 5C111472A1020AAFEB51DFA8CD45AEB7BF8FB08354F004919FD95E6240E735E8519B60

Function 0103CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0103CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0103CDA6

Strings

<local>, xrefs: 0103CD66

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 877c53072525ebb01a1cc2c56e492c645359ecede46d5acbb51ebcb8fdced824
Instruction ID: 7d31d5bda6ea4cc715ac8b96465062ee388f3c8180b2d8e793d225095acce127
Opcode Fuzzy Hash: 877c53072525ebb01a1cc2c56e492c645359ecede46d5acbb51ebcb8fdced824
Instruction Fuzzy Hash: 821106752056357AE7746A6A8D4CEE7BEACEF826A4F00421BB189E3080D7749440C6F0

Function 01053429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010534BA

Strings

edit, xrefs: 0105348F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fe484f55ae5fd69bdccaf423cb6c30460fca1a813c9fd458d6aa4617c8e7ec49
Instruction ID: d000aacf263fb67dea5b2c890bbdc0862d54ed6ff5792826728276958d8abeb4
Opcode Fuzzy Hash: fe484f55ae5fd69bdccaf423cb6c30460fca1a813c9fd458d6aa4617c8e7ec49
Instruction Fuzzy Hash: 2E116075100204ABEFA24E68DC44AAB3BAAFB053B4F504714FDA19B1D4CB75EC919B50

Function 01026C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01026CB6
_wcslen.LIBCMT ref: 01026CC2

Strings

STOP, xrefs: 01026CBC, 01026CC1

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ea4f1e708ff5fa52a6ea553c3a78ab45ba8fcf6c736be6e73f35052baf5f1ee0
Instruction ID: 6cd907147fe7b0e6cd9d67e4565e7db9f5cf4a4a67284764b4a04f7d8a29709c
Opcode Fuzzy Hash: ea4f1e708ff5fa52a6ea553c3a78ab45ba8fcf6c736be6e73f35052baf5f1ee0
Instruction Fuzzy Hash: FE010032E0453B8BCB21BEBDCC819BF37E5EB51710B500568ECA293182EA37E540C650

Function 01021CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01021D4C

Strings

ComboBox, xrefs: 01021CEB
ListBox, xrefs: 01021D16

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f4cb2c35526f74d420271be935e411be3591bcb7a3e2cb7b59128b1145ff2c66
Instruction ID: 85538b4ba73f47aa759c7ef6d396e449cfba4d242c7ac5804e56ba3774070cf8
Opcode Fuzzy Hash: f4cb2c35526f74d420271be935e411be3591bcb7a3e2cb7b59128b1145ff2c66
Instruction Fuzzy Hash: F801243160423AABDB08FFA4CD15EFE77A8FB16350B00061DE8B25B2C0EA7458088760

Function 01021BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01021C46

Strings

ComboBox, xrefs: 01021BE5
ListBox, xrefs: 01021C10

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 548d0a026023daebc0a96359b998934c5406b339d95409f8f1c326ea96ad939b
Instruction ID: 4a9427492305424466535668c068654922339b6e993bd600b93aa64a40eee678
Opcode Fuzzy Hash: 548d0a026023daebc0a96359b998934c5406b339d95409f8f1c326ea96ad939b
Instruction Fuzzy Hash: 2E01F77564412D76DB04FB90CE56EFF77E89B15340F60001DE596772C1EA74AA0C87B1

Function 01021C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01021CC8

Strings

ComboBox, xrefs: 01021C69
ListBox, xrefs: 01021C94

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7261e9d0aaf923fccc2e69a3751d78fa0b0873e1464d5cac7f0726eec7eae58c
Instruction ID: 6fda4b11eb6a781259c2bd7a93a52e8657367168d0510fafc3e3b1adef84eac1
Opcode Fuzzy Hash: 7261e9d0aaf923fccc2e69a3751d78fa0b0873e1464d5cac7f0726eec7eae58c
Instruction Fuzzy Hash: 9C01F77560412D66DB04FB95CF16EFF77E89B21340F200029E88167281EA749A0886B1

Function 01021D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01021DD3

Strings

ComboBox, xrefs: 01021D75
ListBox, xrefs: 01021DA0

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8877745b7404110bda3b5a2530d1c54b34712176ed01b0d0148163ed82347b35
Instruction ID: 1e82599e2a0345f3890bba8069ba4271c2284b8e903c815e28248f0b934d3531
Opcode Fuzzy Hash: 8877745b7404110bda3b5a2530d1c54b34712176ed01b0d0148163ed82347b35
Instruction Fuzzy Hash: 6FF0F471A4422AA6DB14FBA4CD56FFF77A8AB15340F440919F8A2672C1DAB459088660

Function 0104747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01047493
_wcslen.LIBCMT ref: 010474B9

Strings

3, 3, 16, 1, xrefs: 01047483

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: dc23df5a3aa6533c9e9364ab113377e5e84a3b8e1905228795ad6af18806660a
Instruction ID: 5fa4a54618d0c90ddaa0a6c84d4af2a447515d26ad0afad629481e97e073c280
Opcode Fuzzy Hash: dc23df5a3aa6533c9e9364ab113377e5e84a3b8e1905228795ad6af18806660a
Instruction Fuzzy Hash: 9BE0E582201260119271227A9CC197F7AC9CFC9650710187EFAC1D226BEF98DD9193A1

Function 01020B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01020B23

Strings

AutoIt, xrefs: 01020B17
Error allocating memory., xrefs: 01020B1C

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5a18373add3ad9643d2d33a9267ab12e0f1b12c8210525754081fd270a8fe42f
Instruction ID: 132fd5660598f2e06f188c1892db140ad443d2bd37211c9d47ea4369ec2f04e1
Opcode Fuzzy Hash: 5a18373add3ad9643d2d33a9267ab12e0f1b12c8210525754081fd270a8fe42f
Instruction Fuzzy Hash: 37E0D8322483183AE32436957D07F8A7F99CF05F50F10046FFBD4995C38ADA245056A9

Function 00FE0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FDF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FE0D71,?,?,?,00FC100A), ref: 00FDF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FC100A), ref: 00FE0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FC100A), ref: 00FE0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FE0D7F

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 92f6a3014a5e69148d917280b7cad7180f90a0c1e9f653f24b9c9bb79a3b483c
Instruction ID: 854a77d4cbf756e132a794ce2e77fd408b379fa165dc1c8dfe8cc6a09df2b012
Opcode Fuzzy Hash: 92f6a3014a5e69148d917280b7cad7180f90a0c1e9f653f24b9c9bb79a3b483c
Instruction Fuzzy Hash: 82E06D702003428BE3709FB9D9047477BE4AB00B44F04892DE8C6C7649DFF9E484EBA1

Function 01033017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0103302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01033044

Strings

aut, xrefs: 01033038

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: db54db0deb40060f6351e5eef9913fe7100a0ec347ec2db07230211fffc2d911
Instruction ID: f800613fce6b01a7c2a6997e20b75fca0c1d7660673eda02de417f03809dfac5
Opcode Fuzzy Hash: db54db0deb40060f6351e5eef9913fe7100a0ec347ec2db07230211fffc2d911
Instruction Fuzzy Hash: 82D05E7250032867EF30A6A5AD4EFCB7A6CDB04690F0002A1B6D9D6085EAB59984CBD0

Function 0101D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0101D220

Strings

%.3d, xrefs: 0101D22B
X64, xrefs: 0101D2A8

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3595ebcdc7a68bba01fb36bd9c25862bcd1cd98fe8d409000044f89b3381712a
Instruction ID: fa9f08f8cc9e98da81bbfea1be00e0d5d7a2ccf45b4abf387c66e2ebdaa68063
Opcode Fuzzy Hash: 3595ebcdc7a68bba01fb36bd9c25862bcd1cd98fe8d409000044f89b3381712a
Instruction Fuzzy Hash: 6FD01271808219E9CB50A6D0CC4D9FEB37CEB69251F448453F996D2008D62CD5085761

Function 01052322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0105233F

Part of subcall function 0102E97B: Sleep.KERNEL32 ref: 0102E9F3

Strings

Shell_TrayWnd, xrefs: 01052325

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6db72e1baf530caadacc3ea799ed8ef1bd4425b0ca4da90b6e9c73d0d18620ee
Instruction ID: 81b893d32ef10140d9a8b9c75513a6d08fccadaa3d1d9d654dcaf9978acf7e27
Opcode Fuzzy Hash: 6db72e1baf530caadacc3ea799ed8ef1bd4425b0ca4da90b6e9c73d0d18620ee
Instruction Fuzzy Hash: E8D0A932394310B6E374B270DD1EFC7BA08AB00B00F000906B2C5AA2C4C8B5A8008B50

Function 01052356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105236C
PostMessageW.USER32(00000000), ref: 01052373

Part of subcall function 0102E97B: Sleep.KERNEL32 ref: 0102E9F3

Strings

Shell_TrayWnd, xrefs: 01052365

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 376280607c2b6ee463006deaea618ce65da1ae88e63c3a40af0ede45162886ae
Instruction ID: cb789051877291da15be4da0751e92d6abb9d11aff9a773c79edf04c1cfa7cc3
Opcode Fuzzy Hash: 376280607c2b6ee463006deaea618ce65da1ae88e63c3a40af0ede45162886ae
Instruction Fuzzy Hash: 9DD0A9323C03107AF374B270DD0EFC7B608AB04B00F000906B2C1AA2C4C8B5A8008B54

Function 00FFBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FFBE93
GetLastError.KERNEL32 ref: 00FFBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FFBEFC

Memory Dump Source

Source File: 00000000.00000002.1776989012.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1776955695.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777113776.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777221345.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777325884.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 074daf692e9f5b5270e59c5a61d1b43ee77bb4cef407082c4b3ff00e54046dcf
Instruction ID: 3820e9930ccfaf98ed5b3abba6279468c2a5e13fd75a1f329e3a027032420541
Opcode Fuzzy Hash: 074daf692e9f5b5270e59c5a61d1b43ee77bb4cef407082c4b3ff00e54046dcf
Instruction Fuzzy Hash: 6A41E635A0424AAFDF218FA5CC44BBA7BA9EF41730F144169FA59971F1DB318D00EB60

Analysis Process: firefox.exePID: 8028, Parent PID: 7956COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001E48B466BB7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001E48B466BDC

Memory Dump Source

Source File: 00000010.00000002.2982841504.000001E48B463000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E48B463000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1e48b463000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 5db63d847c47a96f357c2b644f9a0198b86b7aa8a4315a62e1c64cf598bf0e4c
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 14A3E431614A888FEB2DDF69DC867E977E5FB95700F14522EDD4BC3241DE30EA428A81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1944106836.0000022B60DB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1946560326.0000022B6EC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949732531.0000022B6EC7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1906370951.0000022B6B0DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1906987383.0000022B6B0BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921285593.0000022B6ADDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920907449.0000022B6EDE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1906987383.0000022B6B0BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906370951.0000022B6B0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920907449.0000022B6EDE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1913514243.0000022B653E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965194376.0000022B64622000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946560326.0000022B6EC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949732531.0000022B6EC7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1795926965.0000022B6B048000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906987383.0000022B6B03F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927290159.0000022B6B04D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1795926965.0000022B6B048000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906987383.0000022B6B03F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927290159.0000022B6B04D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1906987383.0000022B6B0BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906370951.0000022B6B0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921285593.0000022B6ADDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1906987383.0000022B6B0BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906370951.0000022B6B0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920907449.0000022B6EDE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956754119.0000022B663E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956754119.0000022B663E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1963083511.0000022B64DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956754119.0000022B663E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2978657916.000001E48AE0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1926775888.0000022B6ECE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1975212777.0000022B63649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913514243.0000022B653E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946344507.0000022B6ED29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1921285593.0000022B6ADDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945055328.0000022B6ADDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946344507.0000022B6ED29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919617969.0000022B6CB1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953097564.0000022B6CB57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947116265.0000022B6CB1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1824535081.0000022B6059B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824155293.0000022B60599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comH equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1963789400.0000022B64795000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933486824.0000022B64795000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942303173.0000022B637F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49858 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8722b5ba-2626-408a-8bee-fba4cfc006cd.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8722b5ba-2626-408a-8bee-fba4cfc006cd.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre