Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543414
MD5:	55990899d8e850771b61542ea3d37ec8
SHA1:	79527c12df168963c88b4df0a04c359f39acbc90
SHA256:	21a5fab1674ba6cdaf4d719834af3ef30ff8dbc375f122b4d4bd742946ba75c9
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 55990899D8E850771B61542EA3D37EC8)

taskkill.exe (PID: 5780 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4248 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1284 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6328 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3368 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1136 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6492 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f88346-6333-4799-959c-912c4b9d23ab} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af85e6d710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7772 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -prefsHandle 3292 -prefMapHandle 3320 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19710090-97b7-4bed-989f-fc83a0214d86} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af97d73f10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7612 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5144 -prefMapHandle 4744 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8eb069-afd9-4fee-99d8-1d4b5ab48262} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2afa1ba7f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6848	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A7ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A6AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A99576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_92675959-d
Source: file.exe, 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa472416-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c6474993-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6351afc8-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0254832B7 NtQuerySystemInformation,		16_2_000001F0254832B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0258488F2 NtQuerySystemInformation,		16_2_000001F0258488F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A6D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A6E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0BF40	0_2_00A0BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A08060	0_2_00A08060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A72046	0_2_00A72046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A68298	0_2_00A68298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E4FF	0_2_00A3E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3676B	0_2_00A3676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94873	0_2_00A94873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2CAA0	0_2_00A2CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0CAF0	0_2_00A0CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1CC39	0_2_00A1CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A36DD9	0_2_00A36DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A091C0	0_2_00A091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1B119	0_2_00A1B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21394	0_2_00A21394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21706	0_2_00A21706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2781B	0_2_00A2781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A219B0	0_2_00A219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A07920	0_2_00A07920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1997D	0_2_00A1997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27A4A	0_2_00A27A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27CA7	0_2_00A27CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21C77	0_2_00A21C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A39EEE	0_2_00A39EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BE44	0_2_00A8BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21F32	0_2_00A21F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0254832B7	16_2_000001F0254832B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0258488F2	16_2_000001F0258488F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F025848932	16_2_000001F025848932
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F02584901C	16_2_000001F02584901C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A1F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A20A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A737B5 GetLastError,FormatMessageW,

0_2_00A737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A610BF AdjustTokenPrivileges,CloseHandle,		0_2_00A610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A6D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A7648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1948329267.000002AF9DC96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1912223283.000002AFA1B95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1916717796.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973117896.000002AF9F5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001024166.000002AF9F5E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f88346-6333-4799-959c-912c4b9d23ab} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af85e6d710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -prefsHandle 3292 -prefMapHandle 3320 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19710090-97b7-4bed-989f-fc83a0214d86} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af97d73f10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5144 -prefMapHandle 4744 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8eb069-afd9-4fee-99d8-1d4b5ab48262} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2afa1ba7f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f88346-6333-4799-959c-912c4b9d23ab} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af85e6d710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -prefsHandle 3292 -prefMapHandle 3320 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19710090-97b7-4bed-989f-fc83a0214d86} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af97d73f10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5144 -prefMapHandle 4744 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8eb069-afd9-4fee-99d8-1d4b5ab48262} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2afa1ba7f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1959985705.000002AF9338C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1945847966.000002AF9337C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1959985705.000002AF9338C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1959985705.000002AF9338C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1945847966.000002AF9337C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1957845982.000002AF9F701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1959985705.000002AF9338C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1957845982.000002AF9F701000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20A76 push ecx; ret

0_2_00A20A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A1F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A91C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95818

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F0254832B7 rdtsc

16_2_000001F0254832B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A768EE FindFirstFileW,FindClose,	0_2_00A768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A7698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A79642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A79B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A75C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: firefox.exe, 00000010.00000002.2959711918.000001F025380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: firefox.exe, 00000010.00000002.2959711918.000001F025380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: firefox.exe, 0000000F.00000002.2961372312.000001E7B8D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: firefox.exe, 0000000F.00000002.2955829863.000001E7B84AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2960451631.000001D69DF00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2953751216.000001D69DA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2960628630.000001E7B891E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2955829863.000001E7B84AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@)M
Source: firefox.exe, 0000000F.00000002.2961372312.000001E7B8D40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2955829863.000001E7B84AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2959711918.000001F025380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.2953747253.000001F024C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0d8%

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F0254832B7 rdtsc

16_2_000001F0254832B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7EAA2 BlockInput,

0_2_00A7EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A32622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A24CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A24CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A60B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A32622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A2083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A209D5 SetUnhandledExceptionFilter,	0_2_00A209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A20C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A42BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A42BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6B226 SendInput,keybd_event,

0_2_00A6B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A60B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A61663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1929673603.000002AF9F701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20698 cpuid

0_2_00A20698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00A78195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A5D27A GetUserNameW,

0_2_00A5D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A3BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6848, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6848, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A81204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A81806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.18.14	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000D.00000003.1956918060.000002AF95561000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.2956815918.000001D69DEC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1870375892.000002AF97558000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2956813073.000001E7B87CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955374972.000001F024EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2960655148.000001D69E003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1887364235.000002AF9E02D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.2956815918.000001D69DE8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796396953.000002AF9E0B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.comP	firefox.exe, 0000000D.00000003.1963075320.000002AF97EC5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956918060.000002AF95561000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1917193827.000002AF9DF62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1761921707.000002AF95977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761338133.000002AF95700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761769083.000002AF9595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761627860.000002AF9593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761480299.000002AF9591F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1982411742.000002AF96E79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1973586110.000002AF9F5A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1920399854.000002AF9DA8C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1891042439.000002AF97223000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761921707.000002AF95977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761338133.000002AF95700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982054311.000002AF96EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981583607.000002AF97106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761769083.000002AF9595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924760017.000002AF9721F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965586077.000002AF97106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761627860.000002AF9593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761480299.000002AF9591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1950874377.000002AF98F74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1761921707.000002AF95977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761338133.000002AF95700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761769083.000002AF9595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761627860.000002AF9593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761480299.000002AF9591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000D.00000003.1801455105.000002AF96E06000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1979253488.000002AF97DDB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2956813073.000001E7B87CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955374972.000001F024EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2960655148.000001D69E003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.2001191247.000002AF9F53E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2956813073.000001E7B87CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955374972.000001F024EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2960655148.000001D69E003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955374972.000001F024E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2956815918.000001D69DE0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1864937784.000002AF97675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866193676.000002AF97682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829448672.000002AF97679000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.2001191247.000002AF9F53E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.2956815918.000001D69DEC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1797226467.000002AF9DDB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797093764.000002AF9DFAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797093764.000002AF9DFB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1829448672.000002AF97649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865570611.000002AF97491000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1873056917.000002AF96FE5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1973586110.000002AF9F57E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1982411742.000002AF96E4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.2956815918.000001D69DE13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796396953.000002AF9E0C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1920399854.000002AF9DA8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1801799252.000002AF96C72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1814974277.000002AF96FE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873056917.000002AF96FD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1950874377.000002AF98F59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768781739.000002AF95DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828643272.000002AF96BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963463857.000002AF97DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920791797.000002AF9DA45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818806313.000002AF9707F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909513349.000002AF96AD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898781131.000002AF96BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768073230.000002AF96BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935063664.000002AF970A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892609241.000002AF9946C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823727120.000002AF96BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887364235.000002AF9E015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873056917.000002AF96FE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889380764.000002AF9DB09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825518457.000002AF9946C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798327664.000002AF96CF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767312484.000002AF96BEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768073230.000002AF96BE6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1950874377.000002AF98F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1950874377.000002AF98F74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953681796.000002AF98529000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922058144.000002AF98529000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000D.00000003.1801455105.000002AF96E06000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1916380565.000002AF9F647000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912866352.000002AFA1B0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1916380565.000002AF9F647000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912866352.000002AFA1B0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1801799252.000002AF96C72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1887364235.000002AF9E02D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1764204378.000002AF95533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763286896.000002AF95533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763988943.000002AF9551A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957381146.000002AF95539000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micr	firefox.exe, 0000000D.00000003.1945291350.000002AF93353000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959350234.000002AF93335000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1964099960.000002AF971E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980447530.000002AF971EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1950874377.000002AF98F74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976943476.000002AF98F83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1864937784.000002AF97675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866193676.000002AF97682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829448672.000002AF97679000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1764204378.000002AF95533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763286896.000002AF95533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763988943.000002AF9551A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957381146.000002AF95539000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.2001191247.000002AF9F53E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2956813073.000001E7B87CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955374972.000001F024EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2960655148.000001D69E003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1975071297.000002AF9DCBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796396953.000002AF9E0C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1912176119.000002AFA1BB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1761480299.000002AF9591F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1916380565.000002AF9F6D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1801799252.000002AF96C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761921707.000002AF95977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761338133.000002AF95700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982054311.000002AF96EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981583607.000002AF97106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761769083.000002AF9595A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924760017.000002AF9721F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965586077.000002AF97106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761627860.000002AF9593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761480299.000002AF9591F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1920399854.000002AF9DA8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2956234664.000001E7B85B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2960397383.000001F0254B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2955380747.000001D69DB50000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1797187278.000002AF9DDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948329267.000002AF9DC96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543414
Start date and time:	2024-10-27 19:54:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@71/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.10.6.163, 52.10.231.25, 44.237.129.44, 142.250.184.206, 2.18.121.79, 2.18.121.73, 88.221.134.155, 88.221.134.209, 142.250.185.206, 142.250.185.170, 142.250.186.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6492 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:55:17	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_68bacf7a-01a0-48e3-9367-9826fefa565f.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181143474310575
Encrypted:	false
SSDEEP:	192:DjMXN5acbhbVbTbfbRbObtbyEl7nlW/rnJA6WnSrDtTUd/SkDrmt:DYKcNhnzFSJFW/rOBnSrDhUd/Ut
MD5:	897BD031220B7A99CE25441496DDE679
SHA1:	8502C2DCE4A2704DF6621CBB3400CBDBB30425F6
SHA-256:	9639D9E54D397B2C138A1FEB0515B36BE09293CEE49F7BAF5F4E9357F86C18D8
SHA-512:	DA67B6FF7504CCC0A4556527542A339A91B798299118C7BD0D30C504ECD10AE9F82E5E0C93A0C7180DDDBBFFCEB373AE49B0734282ED2B930048AF73D6164EA1
Malicious:	false
Preview:	{"type":"uninstall","id":"68bacf7a-01a0-48e3-9367-9826fefa565f","creationDate":"2024-10-27T20:52:18.794Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_68bacf7a-01a0-48e3-9367-9826fefa565f.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181143474310575
Encrypted:	false
SSDEEP:	192:DjMXN5acbhbVbTbfbRbObtbyEl7nlW/rnJA6WnSrDtTUd/SkDrmt:DYKcNhnzFSJFW/rOBnSrDhUd/Ut
MD5:	897BD031220B7A99CE25441496DDE679
SHA1:	8502C2DCE4A2704DF6621CBB3400CBDBB30425F6
SHA-256:	9639D9E54D397B2C138A1FEB0515B36BE09293CEE49F7BAF5F4E9357F86C18D8
SHA-512:	DA67B6FF7504CCC0A4556527542A339A91B798299118C7BD0D30C504ECD10AE9F82E5E0C93A0C7180DDDBBFFCEB373AE49B0734282ED2B930048AF73D6164EA1
Malicious:	false
Preview:	{"type":"uninstall","id":"68bacf7a-01a0-48e3-9367-9826fefa565f","creationDate":"2024-10-27T20:52:18.794Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928664327406299
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLzhlV8P:8S+OBIUjOdwiOdYVjjwL9lV8P
MD5:	F0CFA5581D2BE47E8F1B9DA651CDC886
SHA1:	9F751A86357754F43F5B98A8510FD9A8FD8736EE
SHA-256:	8BF0F2BE20268E21BC4293D8881C709D863C40AAEDBCFF5FF2CD77966E687D6E
SHA-512:	B44971F025BA133EDE91F672CBAEDD6F8F43534EA88B567A26D84FF10BD04F43959AAE36634E9539E40F22CB9B27E31B36B5171C06A8FA1C594296FF8F8DA56B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928664327406299
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLzhlV8P:8S+OBIUjOdwiOdYVjjwL9lV8P
MD5:	F0CFA5581D2BE47E8F1B9DA651CDC886
SHA1:	9F751A86357754F43F5B98A8510FD9A8FD8736EE
SHA-256:	8BF0F2BE20268E21BC4293D8881C709D863C40AAEDBCFF5FF2CD77966E687D6E
SHA-512:	B44971F025BA133EDE91F672CBAEDD6F8F43534EA88B567A26D84FF10BD04F43959AAE36634E9539E40F22CB9B27E31B36B5171C06A8FA1C594296FF8F8DA56B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327088419486406
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkir:DLhesh7Owd4+ji
MD5:	FB56C92123F8D0C4A3292C39E5745D1D
SHA1:	A211FBC58B20FF69A6B2D58C54E86A0C594ED218
SHA-256:	C71B261108DBE3FBFC8CBC8D419CDD50019D3281493D929DACB661A6710F98D6
SHA-512:	0D10F0044FC36992A09B7AFD6BF6ED5CE7049B213B6CA3DB5BB6391F127521FAAABB64EBA7FD2E74B35B16481E774C84508F6E58666B4BF4636F9697EDBF32EA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035447157006298996
Encrypted:	false
SSDEEP:	3:GtlstF9FNKgg4cz9o/3lstF9FNKgg4czl/l/T89//alEl:GtWt3rWt3Qx89XuM
MD5:	995AF9633C2C0CA215E0C65E32E8A674
SHA1:	513E670122287EB155627CE3A4DA5FFF6041F5ED
SHA-256:	3FA51B3212CDA73B741000D6F818BA90DB5E2D6988A75EEBEE6CBAB909F35D91
SHA-512:	1103E66AD2710176102EB3B6BA13481D12BFEEC669F25B7D8D7187A07FD541C6BA6F4C7D4B3B512CCB24A233C380EEA218A094B5A2B978BC4AAE951B4DD15349
Malicious:	false
Preview:	..-...........................I.Y....V.y.....)....-...........................I.Y....V.y.....)..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03956585623368126
Encrypted:	false
SSDEEP:	3:Ol1/5njtxwy/f8flLv/4wl8rEXsxdwhml8XW3R2:K7njtbgLl8dMhm93w
MD5:	E6C1228F7C4994B73264DDEB355294D5
SHA1:	2AF521A51DCB846F152E0653DD70C4EA553BDF7C
SHA-256:	DD2EB4ACA1D93F558ED4E6F2EE0385B441EABA5DEA951ED239B6F460D76D2A6A
SHA-512:	42852B395C5BAAE51C9D97F9AA193239F2F265CE48B68DE86F5FCFB1C400B17415E5B4F419B1AB96A9DAC72416DC1B1A2F1F05057E823A6C2A518EC5B5244A26
Malicious:	false
Preview:	7....-..........Y....V.y..l ...........Y....V.y.....I..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4942813366868055
Encrypted:	false
SSDEEP:	192:GnaRtLYbBp6shj4qyaaXp6KLL8+N9VI5RfGNBw8dYSl:DeyqPaL8q9Ccw30
MD5:	449B732F6F691248C34AC03291817AB7
SHA1:	4F7971A86DDF589402CEF0926CE797E6282EB37D
SHA-256:	A2D2756C3826273B81DD78481F765E48981C48A435A269C514A676BF49F18608
SHA-512:	47745A683233D58D0AED1E6F45C7913C4ABF566D75454AE8B6B11D14D836CC534888EA48464290226057F3B4BA42F536881D05E940A84BA5CAD7F00BF54ABF23
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730062309);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730062309);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730062309);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173006

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4942813366868055
Encrypted:	false
SSDEEP:	192:GnaRtLYbBp6shj4qyaaXp6KLL8+N9VI5RfGNBw8dYSl:DeyqPaL8q9Ccw30
MD5:	449B732F6F691248C34AC03291817AB7
SHA1:	4F7971A86DDF589402CEF0926CE797E6282EB37D
SHA-256:	A2D2756C3826273B81DD78481F765E48981C48A435A269C514A676BF49F18608
SHA-512:	47745A683233D58D0AED1E6F45C7913C4ABF566D75454AE8B6B11D14D836CC534888EA48464290226057F3B4BA42F536881D05E940A84BA5CAD7F00BF54ABF23
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730062309);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730062309);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730062309);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173006

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\62eb8d7e-b9fe-4cc1-b546-a80b9f897aef (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.967755928228539
Encrypted:	false
SSDEEP:	12:YZFgcSVTNA6JMFEIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YjQTNAe/SlCOlZGV1AQIWZcy6Z2d
MD5:	11BFA9E93E2B7755AA2DF527F289D22B
SHA1:	27812B2734C271EE1526EE29FFE8282B9D88531F
SHA-256:	0170DBD7B28E68632B374F7BBA8D90FC9776B1C401B4149EE07420938934AB71
SHA-512:	509EEB99F5599B85100422E1A61C8144AB82434F0CDC7240DBD7E6E4F663513B1D09A68466785764598AB2B7B14ED4EF0DC9EDD11698FAFFCD053DCA7F77FE75
Malicious:	false
Preview:	{"type":"health","id":"62eb8d7e-b9fe-4cc1-b546-a80b9f897aef","creationDate":"2024-10-27T20:52:19.489Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\62eb8d7e-b9fe-4cc1-b546-a80b9f897aef.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.967755928228539
Encrypted:	false
SSDEEP:	12:YZFgcSVTNA6JMFEIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YjQTNAe/SlCOlZGV1AQIWZcy6Z2d
MD5:	11BFA9E93E2B7755AA2DF527F289D22B
SHA1:	27812B2734C271EE1526EE29FFE8282B9D88531F
SHA-256:	0170DBD7B28E68632B374F7BBA8D90FC9776B1C401B4149EE07420938934AB71
SHA-512:	509EEB99F5599B85100422E1A61C8144AB82434F0CDC7240DBD7E6E4F663513B1D09A68466785764598AB2B7B14ED4EF0DC9EDD11698FAFFCD053DCA7F77FE75
Malicious:	false
Preview:	{"type":"health","id":"62eb8d7e-b9fe-4cc1-b546-a80b9f897aef","creationDate":"2024-10-27T20:52:19.489Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334186685056826
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS57xLXnIgaU/pnxQwRlszT5sKt0n3eHVQj6TZamhujJlOsIomNVryM:GUpOxCisnR6G3eHTZ4JlIUNR4
MD5:	FBA076C3D9C7F7FB1356A5972AC3BFA6
SHA1:	E99B98AF44030244B79E1F9A81C3A5E7655982C6
SHA-256:	F2AB7EF019590AD616B2A3EFE1472CBB9AE22C3439C71F614F6AEF9D74768C71
SHA-512:	E8DDF67822497BDB6472687464BDD34CC8F7ACC22FB1B1CCF5F167A48AF7947203ABAD3628AAAD32352E0CD885AC2E9F2533204E8D89D31610765A0C4FF5E2D9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8e31f0df-2713-4f02-b3e1-e669a6b19aa1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730062314801,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..Q27887...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....285713,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334186685056826
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS57xLXnIgaU/pnxQwRlszT5sKt0n3eHVQj6TZamhujJlOsIomNVryM:GUpOxCisnR6G3eHTZ4JlIUNR4
MD5:	FBA076C3D9C7F7FB1356A5972AC3BFA6
SHA1:	E99B98AF44030244B79E1F9A81C3A5E7655982C6
SHA-256:	F2AB7EF019590AD616B2A3EFE1472CBB9AE22C3439C71F614F6AEF9D74768C71
SHA-512:	E8DDF67822497BDB6472687464BDD34CC8F7ACC22FB1B1CCF5F167A48AF7947203ABAD3628AAAD32352E0CD885AC2E9F2533204E8D89D31610765A0C4FF5E2D9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8e31f0df-2713-4f02-b3e1-e669a6b19aa1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730062314801,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..Q27887...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....285713,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334186685056826
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS57xLXnIgaU/pnxQwRlszT5sKt0n3eHVQj6TZamhujJlOsIomNVryM:GUpOxCisnR6G3eHTZ4JlIUNR4
MD5:	FBA076C3D9C7F7FB1356A5972AC3BFA6
SHA1:	E99B98AF44030244B79E1F9A81C3A5E7655982C6
SHA-256:	F2AB7EF019590AD616B2A3EFE1472CBB9AE22C3439C71F614F6AEF9D74768C71
SHA-512:	E8DDF67822497BDB6472687464BDD34CC8F7ACC22FB1B1CCF5F167A48AF7947203ABAD3628AAAD32352E0CD885AC2E9F2533204E8D89D31610765A0C4FF5E2D9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8e31f0df-2713-4f02-b3e1-e669a6b19aa1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730062314801,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..Q27887...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....285713,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033208923812917
Encrypted:	false
SSDEEP:	48:YrSAYrs6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycQyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B8C95BD6D7AD99C5104AD8E13DF80BC7
SHA1:	6BFA9D74E66A9AB5E1C13C46BDB9A8ECD7577C21
SHA-256:	0D1D4B4E5CA8D12B9A5A21C8F060C7BE29E1AD53E2A443845FDEF11ABACEF661
SHA-512:	EB971019D37C9AE1C0443B72F6A605FFF8ED49B19A5115B2DC673A5AADDCD640A1E18C5C5077A504F64D5ADDA61BADEC7E6CE6477EAC869EE3F7CC0EA077DE48
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T20:51:37.922Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033208923812917
Encrypted:	false
SSDEEP:	48:YrSAYrs6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycQyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B8C95BD6D7AD99C5104AD8E13DF80BC7
SHA1:	6BFA9D74E66A9AB5E1C13C46BDB9A8ECD7577C21
SHA-256:	0D1D4B4E5CA8D12B9A5A21C8F060C7BE29E1AD53E2A443845FDEF11ABACEF661
SHA-512:	EB971019D37C9AE1C0443B72F6A605FFF8ED49B19A5115B2DC673A5AADDCD640A1E18C5C5077A504F64D5ADDA61BADEC7E6CE6477EAC869EE3F7CC0EA077DE48
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T20:51:37.922Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846723078597575
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	55990899d8e850771b61542ea3d37ec8
SHA1:	79527c12df168963c88b4df0a04c359f39acbc90
SHA256:	21a5fab1674ba6cdaf4d719834af3ef30ff8dbc375f122b4d4bd742946ba75c9
SHA512:	cf06396aaa3c3c519b96a8fdb65ce2dd74ef2f58d4ade0542c199a21c9a52f4e876dd3c668c7a6c1ac5f48f16936c765314957b5817bfccf851789ecf5e52206
SSDEEP:	12288:RqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TF:RqDEvCTbMWu7rQYlBQcBiT6rprG8abF
TLSH:	AC159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671E8C08 [Sun Oct 27 18:52:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB0CC6E7BC3h
jmp 00007FB0CC6E74CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB0CC6E76ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB0CC6E767Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB0CC6EA26Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB0CC6EA2B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB0CC6EA2A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	a851c573ffdf4de29aae0fa6b1558099	False	0.3156398338607595	data	5.373267097697177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 19:55:12.306934118 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.306956053 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:12.307497025 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.312609911 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.312637091 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:12.956284046 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:12.956367970 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.965362072 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.965380907 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:12.965503931 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:12.965641022 CET	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:12.965960026 CET	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:14.447412014 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.447453976 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:14.450041056 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.452485085 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.452528000 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:14.466429949 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.466448069 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:14.481656075 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.486808062 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:14.486821890 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:14.547492981 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:14.554490089 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:14.558235884 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:14.558516979 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:14.565303087 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:14.788361073 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:14.788389921 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:14.788669109 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:14.790641069 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:14.790680885 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.096260071 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.096302032 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.099021912 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.100665092 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.100682974 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.160928965 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:15.215096951 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.275609970 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.276961088 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.276981115 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.277473927 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.277584076 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.277596951 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.281142950 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:15.281224012 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.281387091 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.287461042 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:15.297007084 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.297100067 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.297595978 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.297956944 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.301635981 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.301645994 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.301661015 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.301774025 CET	443	49738	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.303577900 CET	49738	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.350697041 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.350709915 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.350792885 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.351994038 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.352054119 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.407910109 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.409449100 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.438098907 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.438112974 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.438303947 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.438457966 CET	443	49739	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.438847065 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.438863993 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.441970110 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.441991091 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.442140102 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.442276001 CET	443	49741	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.442547083 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.442559004 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.449527979 CET	49739	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.449553967 CET	49741	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.449563026 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.449563026 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.452065945 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:15.452089071 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:15.457895041 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.457918882 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.716953993 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.717457056 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.721554995 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.721574068 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.721592903 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.721829891 CET	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.722086906 CET	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.826339006 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.826365948 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.826787949 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.832561016 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:15.838191986 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.839962959 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:15.839987040 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:15.875931025 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:15.882356882 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.883032084 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.886120081 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.886130095 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.886472940 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.888484955 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.888576031 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.888657093 CET	443	49744	34.160.144.191	192.168.2.4
Oct 27, 2024 19:55:15.888849020 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.888849020 CET	49744	443	192.168.2.4	34.160.144.191
Oct 27, 2024 19:55:15.930994987 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:15.954040051 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:16.011975050 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:16.065093994 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.065149069 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.072330952 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.261188030 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.261213064 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.261250973 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.261493921 CET	443	49746	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.268218994 CET	49746	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.279268026 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.279294014 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.283444881 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.283608913 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.283620119 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.316679955 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.316724062 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.316848040 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:16.319185019 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.319245100 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:16.319257975 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.323429108 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:16.323441982 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.323513985 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:16.323666096 CET	443	49745	142.250.186.142	192.168.2.4
Oct 27, 2024 19:55:16.323841095 CET	49745	443	192.168.2.4	142.250.186.142
Oct 27, 2024 19:55:16.455372095 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.455388069 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.458142996 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.462363958 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.462405920 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.462435961 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.462604046 CET	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.462893009 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.462913036 CET	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.462965012 CET	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.466320992 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.468044996 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:16.468058109 CET	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:16.816567898 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:16.823843002 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:16.898760080 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.901599884 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.904987097 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.905004978 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.905287981 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.907975912 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.908021927 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.908184052 CET	443	49749	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:16.908364058 CET	49749	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:16.943486929 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:16.954672098 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:16.961774111 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:16.993052006 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.081316948 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.094868898 CET	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:17.094955921 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:17.099124908 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:17.099158049 CET	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:17.099185944 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:17.099723101 CET	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 19:55:17.099791050 CET	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 19:55:17.124532938 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.310709000 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.310719967 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.316512108 CET	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.316560030 CET	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.316981077 CET	80	49743	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.317040920 CET	49743	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.368496895 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.373872042 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.377458096 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.377552032 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.383413076 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.554431915 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.560899973 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.563608885 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.563813925 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:17.570305109 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:17.760202885 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:17.760229111 CET	443	49755	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:17.762033939 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:17.763331890 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:17.763343096 CET	443	49755	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:17.986421108 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:18.028085947 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:18.168382883 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:18.228521109 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:18.387408018 CET	443	49755	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:18.394665956 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:18.399260998 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:18.399281979 CET	443	49755	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:18.399300098 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:18.399627924 CET	443	49755	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:18.399748087 CET	49755	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:21.930284023 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:21.930330038 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:21.930663109 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:21.930823088 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:21.930841923 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:21.943855047 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:21.949163914 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:21.957303047 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:21.957318068 CET	443	49758	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:21.959835052 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:21.960927963 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:21.962399006 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:21.962416887 CET	443	49758	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:21.965193033 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:21.976391077 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:21.976417065 CET	443	49759	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:21.980758905 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:21.992505074 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:21.992523909 CET	443	49759	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:22.069706917 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:22.083616972 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:22.117182970 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:22.133712053 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:22.557687044 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:22.557944059 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:22.560976982 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:22.560991049 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:22.561320066 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:22.563688040 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:22.563808918 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:22.563937902 CET	443	49756	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:22.564110994 CET	49756	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:22.574206114 CET	443	49758	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:22.574326038 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:22.578481913 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:22.578489065 CET	443	49758	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:22.578572035 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:22.578635931 CET	443	49758	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:22.578737020 CET	49758	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:22.654112101 CET	443	49759	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:22.654249907 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:22.658664942 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:22.658674955 CET	443	49759	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:22.658725023 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:22.658922911 CET	443	49759	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:22.659058094 CET	49759	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:26.291918993 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:26.297420025 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:26.417859077 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:26.472743988 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:26.603502989 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:26.608905077 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:26.615160942 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:26.615219116 CET	443	49764	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:26.615336895 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:26.616672039 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:26.616691113 CET	443	49764	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:26.727132082 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:26.773617983 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:27.229554892 CET	443	49764	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:27.230297089 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.620513916 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.620573997 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:27.621565104 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.621750116 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.621764898 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:27.624538898 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.624552011 CET	443	49764	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:27.624619961 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:27.625221968 CET	443	49764	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:27.626656055 CET	49764	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.041953087 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.041980028 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.043123007 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.043270111 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.043279886 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.233917952 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.233993053 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.352615118 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.352665901 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.353142977 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.355142117 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.355231047 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.355385065 CET	443	49766	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.356041908 CET	49766	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.658534050 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.665059090 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.668100119 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.668117046 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.668442965 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.710289955 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.724129915 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.724219084 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.724545002 CET	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:28.724617958 CET	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:28.947496891 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:28.948909998 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:28.952889919 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:28.954250097 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.072421074 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.073724031 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.080102921 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.080142021 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:29.080948114 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.082386017 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.082397938 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:29.127044916 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.127049923 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.147469997 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:29.147490025 CET	443	49769	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:29.147885084 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:29.149319887 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:29.149327993 CET	443	49769	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:29.167114019 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.170842886 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.175035000 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.176181078 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.293905973 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.295310974 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.343379021 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.343381882 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.401458979 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.407222033 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.528069019 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:29.581641912 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:29.696403027 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:29.696502924 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.757427931 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.757462025 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:29.757527113 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.758085012 CET	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 19:55:29.758162022 CET	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:55:29.763621092 CET	443	49769	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:29.763701916 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:30.806804895 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:30.806834936 CET	443	49769	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:30.806874037 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:30.807116985 CET	443	49769	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:30.807298899 CET	49769	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:30.811338902 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:30.816684008 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:30.935959101 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:30.985646963 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:31.227190971 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:31.228972912 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:31.232685089 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:31.234411955 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:31.352505922 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:31.353327990 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:31.402412891 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:31.402960062 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:32.067451000 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:32.073719025 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:32.193999052 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:32.235934019 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:40.440547943 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:40.440597057 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:40.442950010 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:40.443041086 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:40.443049908 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:40.448776007 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:40.448812962 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:40.448996067 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:40.452931881 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:40.452950954 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:40.499984980 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:40.500025034 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:40.500165939 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:40.500292063 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:40.500303030 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:40.578936100 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:40.578960896 CET	443	49773	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:40.582261086 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:40.583657980 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:40.583673000 CET	443	49773	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:40.611506939 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:40.611568928 CET	443	49774	35.201.103.21	192.168.2.4
Oct 27, 2024 19:55:40.613723993 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:40.615277052 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:40.615292072 CET	443	49774	35.201.103.21	192.168.2.4
Oct 27, 2024 19:55:41.050224066 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.050329924 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.053373098 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.053386927 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.053709984 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.056060076 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.056176901 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.056227922 CET	443	49770	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.056833982 CET	49770	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.060226917 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.065751076 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.069466114 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.069549084 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.072280884 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.072288990 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.072604895 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.074585915 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.074672937 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.074765921 CET	443	49771	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.075638056 CET	49771	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.139676094 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:41.139827967 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:41.142534018 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:41.142545938 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:41.142745018 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:41.144859076 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:41.144927025 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:41.144968987 CET	443	49772	151.101.1.91	192.168.2.4
Oct 27, 2024 19:55:41.150141954 CET	49772	443	192.168.2.4	151.101.1.91
Oct 27, 2024 19:55:41.151628017 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.151657104 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.151772022 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.151890039 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.151906967 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.153603077 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.153630018 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.153891087 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.153995991 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.154005051 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.155546904 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.155579090 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.155868053 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.155958891 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.155968904 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.185671091 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.188235998 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.193712950 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.205827951 CET	443	49773	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:41.206080914 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:41.210717916 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:41.210724115 CET	443	49773	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:41.210798025 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:41.211391926 CET	443	49773	35.190.72.216	192.168.2.4
Oct 27, 2024 19:55:41.211460114 CET	49773	443	192.168.2.4	35.190.72.216
Oct 27, 2024 19:55:41.212851048 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.212897062 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:41.213130951 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.214481115 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.214500904 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:41.214582920 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.219945908 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.238082886 CET	443	49774	35.201.103.21	192.168.2.4
Oct 27, 2024 19:55:41.238157988 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:41.242523909 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:41.242532969 CET	443	49774	35.201.103.21	192.168.2.4
Oct 27, 2024 19:55:41.242615938 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:41.242732048 CET	443	49774	35.201.103.21	192.168.2.4
Oct 27, 2024 19:55:41.245539904 CET	49774	443	192.168.2.4	35.201.103.21
Oct 27, 2024 19:55:41.253745079 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.253772020 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.253873110 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.253958941 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.253973007 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.314423084 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.338128090 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.340858936 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.346390963 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.386814117 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.466931105 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.518225908 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.773638964 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.773716927 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.774873972 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.776139021 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.776155949 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.776350975 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.776474953 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.778386116 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.778405905 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.779458046 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.780654907 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.780836105 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.780848026 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.780858040 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.781189919 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.781233072 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.781599998 CET	443	49775	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.781801939 CET	49775	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.785367966 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.790802956 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.793390989 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.793481112 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.796077013 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.796108961 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.796446085 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.798789978 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.798878908 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.798979998 CET	443	49776	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.799160957 CET	49776	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:41.820302010 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:41.820369005 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.824245930 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.824255943 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:41.824312925 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.824516058 CET	443	49778	34.107.243.93	192.168.2.4
Oct 27, 2024 19:55:41.824661970 CET	49778	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:55:41.867995977 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.868069887 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.870595932 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.870603085 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.870928049 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.873292923 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.873368979 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.873486996 CET	443	49779	34.149.100.209	192.168.2.4
Oct 27, 2024 19:55:41.873598099 CET	49779	443	192.168.2.4	34.149.100.209
Oct 27, 2024 19:55:41.908623934 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.911598921 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.916965961 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:41.957160950 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:41.991332054 CET	443	49777	35.244.181.201	192.168.2.4
Oct 27, 2024 19:55:41.995151997 CET	49777	443	192.168.2.4	35.244.181.201
Oct 27, 2024 19:55:42.037887096 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:42.088690996 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:51.916306973 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:51.921652079 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:55:52.047821999 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:55:52.053220987 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:01.930140018 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:01.935642958 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:02.008399010 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.008482933 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.008975983 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.010358095 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.010406971 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.061844110 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:02.067290068 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:02.609505892 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.615334034 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.616314888 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.620851040 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.620877028 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.620951891 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.621059895 CET	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:02.621280909 CET	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:02.623404980 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:02.628861904 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:02.892913103 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:02.897267103 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:02.902786016 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:02.933032990 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:03.023673058 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:03.064574003 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:10.285001040 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.285082102 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.285190105 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.285244942 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.285623074 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.285851002 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.291152954 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.291188955 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.291460037 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.291495085 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.292181015 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.292212963 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.293013096 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.293209076 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.293219090 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.905741930 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.906147957 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.910561085 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.910573959 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.911607981 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.914835930 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.914931059 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.915601015 CET	443	49832	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.917789936 CET	49832	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.931333065 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.931514978 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.935626030 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.935656071 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.936013937 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.939132929 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.939132929 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.939426899 CET	443	49831	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.939634085 CET	49831	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.940788031 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.940959930 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.944744110 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.944797993 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.945132017 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.948235035 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.948311090 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.948429108 CET	443	49830	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.948515892 CET	49830	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.959326982 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:10.964742899 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:10.992933035 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.992974997 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.993211985 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.993294001 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.994014978 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.994157076 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.994178057 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.994194031 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:10.994286060 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:10.994317055 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.025964975 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026046991 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.026196003 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026276112 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.026374102 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026375055 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026521921 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.026762962 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026763916 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.026897907 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.082633972 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.151354074 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.173006058 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.178719044 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.299844027 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.347130060 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.609201908 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.609328985 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.613449097 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.615031958 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.615045071 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.615340948 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.615442038 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.618741989 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.618788004 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.619291067 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.622395039 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.622757912 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.622823000 CET	443	49836	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.623241901 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.623337030 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.623656988 CET	443	49837	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.625502110 CET	49836	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.625535965 CET	49837	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.626374006 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.632041931 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.649490118 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.649626970 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.653848886 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.653889894 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.654283047 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.657259941 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.657336950 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.657435894 CET	443	49840	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.659025908 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.659065008 CET	49840	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.673636913 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.678888083 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.681662083 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.681724072 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.682463884 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.684362888 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.684492111 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.684809923 CET	443	49839	34.120.208.123	192.168.2.4
Oct 27, 2024 19:56:11.686439991 CET	49839	443	192.168.2.4	34.120.208.123
Oct 27, 2024 19:56:11.749511957 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.768356085 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.773874044 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.810866117 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.853960037 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.859297037 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.894999027 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.942375898 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:11.994791031 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:11.998043060 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:12.004854918 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:12.042690039 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:12.125416040 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:12.180746078 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:22.010271072 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:22.016015053 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:22.141838074 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:22.147331953 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:32.018126965 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:32.023786068 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:32.156199932 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:32.161575079 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:42.030738115 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:42.036210060 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:42.169013977 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:42.174530029 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:43.285609007 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.285742044 CET	443	50020	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:43.286057949 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.287415028 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.287466049 CET	443	50020	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:43.917804956 CET	443	50020	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:43.918015003 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.923753977 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.923794031 CET	443	50020	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:43.923834085 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.924066067 CET	443	50020	34.107.243.93	192.168.2.4
Oct 27, 2024 19:56:43.924665928 CET	50020	443	192.168.2.4	34.107.243.93
Oct 27, 2024 19:56:43.926492929 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:43.931956053 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:44.049629927 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:44.053442955 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:44.058984995 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:44.105664968 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:44.179474115 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:44.221571922 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:54.050493002 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:54.055815935 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:56:54.182189941 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:56:54.187649965 CET	80	49753	34.107.221.82	192.168.2.4
Oct 27, 2024 19:57:04.062644958 CET	49754	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:57:04.068087101 CET	80	49754	34.107.221.82	192.168.2.4
Oct 27, 2024 19:57:04.194324970 CET	49753	80	192.168.2.4	34.107.221.82
Oct 27, 2024 19:57:04.199717045 CET	80	49753	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 19:55:12.307420015 CET	50206	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:12.315578938 CET	53	50206	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:12.356178045 CET	54040	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:12.366873026 CET	53	54040	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.439057112 CET	64592	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.440362930 CET	56191	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.446322918 CET	53	64592	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.447679043 CET	64695	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.456186056 CET	53	64695	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.485889912 CET	56286	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.493319035 CET	53	56286	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.496433020 CET	55678	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.505212069 CET	53	55678	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.534359932 CET	58119	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.542197943 CET	53	58119	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.778908968 CET	53918	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.787182093 CET	53	53918	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.788402081 CET	63004	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.796124935 CET	53	63004	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:14.796747923 CET	51753	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:14.804764032 CET	53	51753	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.065699100 CET	59050	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.079786062 CET	53	59050	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.097368002 CET	61954	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.105179071 CET	53	61954	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.108455896 CET	54395	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.116333961 CET	53	54395	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.236844063 CET	55036	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.244246006 CET	53	55036	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.249485970 CET	56489	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.251250982 CET	49466	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.253303051 CET	52213	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.257292032 CET	53	56489	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.259057045 CET	53	49466	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.280249119 CET	60862	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:15.287545919 CET	53	60862	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:15.288814068 CET	62693	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:16.279426098 CET	64227	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:16.287106037 CET	53	64227	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:16.287834883 CET	63833	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:16.295456886 CET	53	63833	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:16.299942017 CET	62693	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:16.308723927 CET	53	62693	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:16.818999052 CET	60751	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:16.861696959 CET	53	50554	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:17.607340097 CET	60012	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:17.619668007 CET	53	60012	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:17.627079964 CET	59812	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:17.642462969 CET	53	59812	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:17.661468983 CET	63324	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:17.669866085 CET	53	63324	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.918905973 CET	56913	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.926315069 CET	53	56913	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.929729939 CET	60233	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.931898117 CET	57183	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.937125921 CET	53	60233	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.941348076 CET	53	57183	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.955349922 CET	52261	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.957408905 CET	55026	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.966120958 CET	60485	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.966474056 CET	53	55026	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.966485023 CET	53	52261	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.970838070 CET	51037	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.974455118 CET	53	60485	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.976567030 CET	52431	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.979379892 CET	53	51037	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.984874964 CET	53	52431	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:21.989800930 CET	49322	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:21.998070955 CET	53	49322	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:26.605730057 CET	52067	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:26.613980055 CET	53	52067	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:29.147665024 CET	63131	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:29.156245947 CET	53	63131	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.532236099 CET	64536	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.532385111 CET	54089	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.532608032 CET	50414	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.541811943 CET	53	64536	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.542382956 CET	53	54089	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.543142080 CET	51192	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.543698072 CET	51395	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.543828011 CET	53	50414	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.544348001 CET	60485	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.553251982 CET	53	51192	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.553750992 CET	64456	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.553812981 CET	53	51395	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.553848028 CET	53	60485	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.554409981 CET	58307	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.554444075 CET	58978	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.565207005 CET	53	58978	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.565238953 CET	53	64456	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.570324898 CET	50834	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.571048021 CET	53	58307	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.571336985 CET	58531	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.581516981 CET	53	50834	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.581547976 CET	53	58531	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.582168102 CET	60562	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.582325935 CET	60312	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.591095924 CET	53	60562	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.591126919 CET	53	60312	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.591583014 CET	58862	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.591620922 CET	51749	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:33.601886988 CET	53	51749	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:33.601986885 CET	53	58862	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.441056967 CET	59711	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.446943998 CET	60011	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.449115038 CET	53	59711	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.449800014 CET	61118	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.457551956 CET	53	61118	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.499057055 CET	53	60011	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.500355959 CET	58081	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.508784056 CET	53	58081	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.513489962 CET	57519	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.521809101 CET	53	57519	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.579449892 CET	57506	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.587388992 CET	53	57506	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.612629890 CET	62003	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.621028900 CET	53	62003	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:40.625395060 CET	54089	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:40.632905960 CET	53	54089	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:41.204108000 CET	60241	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:41.211822033 CET	53	60241	1.1.1.1	192.168.2.4
Oct 27, 2024 19:55:41.212488890 CET	53578	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:55:41.219860077 CET	53	53578	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:01.996865988 CET	60593	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:02.004467964 CET	53	60593	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:02.007766962 CET	60024	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:02.016858101 CET	53	60024	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:02.623811007 CET	60418	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:02.632630110 CET	64056	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:02.641417980 CET	53	64056	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:10.253241062 CET	64327	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:10.263667107 CET	53	64327	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:43.276786089 CET	50389	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:43.284492016 CET	53	50389	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:43.285608053 CET	50546	53	192.168.2.4	1.1.1.1
Oct 27, 2024 19:56:43.298094988 CET	53	50546	1.1.1.1	192.168.2.4
Oct 27, 2024 19:56:43.926809072 CET	54872	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 19:55:12.307420015 CET	192.168.2.4	1.1.1.1	0x7547	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:12.356178045 CET	192.168.2.4	1.1.1.1	0x7b58	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:14.439057112 CET	192.168.2.4	1.1.1.1	0x8fb2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.440362930 CET	192.168.2.4	1.1.1.1	0xb3f9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.447679043 CET	192.168.2.4	1.1.1.1	0x3b10	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.485889912 CET	192.168.2.4	1.1.1.1	0x5643	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.496433020 CET	192.168.2.4	1.1.1.1	0x2d1a	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:14.534359932 CET	192.168.2.4	1.1.1.1	0x9a77	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:14.778908968 CET	192.168.2.4	1.1.1.1	0x7af2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.788402081 CET	192.168.2.4	1.1.1.1	0x95bf	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.796747923 CET	192.168.2.4	1.1.1.1	0xbed0	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:15.065699100 CET	192.168.2.4	1.1.1.1	0x631a	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.097368002 CET	192.168.2.4	1.1.1.1	0xd99f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.108455896 CET	192.168.2.4	1.1.1.1	0x1fad	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:15.236844063 CET	192.168.2.4	1.1.1.1	0xd397	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.249485970 CET	192.168.2.4	1.1.1.1	0xaf97	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.251250982 CET	192.168.2.4	1.1.1.1	0x8d7	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.253303051 CET	192.168.2.4	1.1.1.1	0xd203	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.280249119 CET	192.168.2.4	1.1.1.1	0x6348	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.288814068 CET	192.168.2.4	1.1.1.1	0xb69b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:16.279426098 CET	192.168.2.4	1.1.1.1	0xbfd4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:16.287834883 CET	192.168.2.4	1.1.1.1	0xc952	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:16.299942017 CET	192.168.2.4	1.1.1.1	0xb69b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:16.818999052 CET	192.168.2.4	1.1.1.1	0x15eb	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:17.607340097 CET	192.168.2.4	1.1.1.1	0x4c82	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:17.627079964 CET	192.168.2.4	1.1.1.1	0x6bb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:17.661468983 CET	192.168.2.4	1.1.1.1	0xdd95	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:21.918905973 CET	192.168.2.4	1.1.1.1	0x7bba	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.929729939 CET	192.168.2.4	1.1.1.1	0xe707	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:21.931898117 CET	192.168.2.4	1.1.1.1	0xe73e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.955349922 CET	192.168.2.4	1.1.1.1	0x1b5d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:21.957408905 CET	192.168.2.4	1.1.1.1	0x53e7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.966120958 CET	192.168.2.4	1.1.1.1	0x24e8	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.970838070 CET	192.168.2.4	1.1.1.1	0xceb9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:21.976567030 CET	192.168.2.4	1.1.1.1	0x14a5	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.989800930 CET	192.168.2.4	1.1.1.1	0x3997	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:26.605730057 CET	192.168.2.4	1.1.1.1	0x3dba	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:29.147665024 CET	192.168.2.4	1.1.1.1	0x85a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:33.532236099 CET	192.168.2.4	1.1.1.1	0x707	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.532385111 CET	192.168.2.4	1.1.1.1	0xc326	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.532608032 CET	192.168.2.4	1.1.1.1	0xa318	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.543142080 CET	192.168.2.4	1.1.1.1	0x79d5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.543698072 CET	192.168.2.4	1.1.1.1	0x9c58	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.544348001 CET	192.168.2.4	1.1.1.1	0xb705	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553750992 CET	192.168.2.4	1.1.1.1	0xd97e	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:33.554409981 CET	192.168.2.4	1.1.1.1	0xf332	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 27, 2024 19:55:33.554444075 CET	192.168.2.4	1.1.1.1	0x4e2e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:33.570324898 CET	192.168.2.4	1.1.1.1	0x134c	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.571336985 CET	192.168.2.4	1.1.1.1	0xa7ef	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.582168102 CET	192.168.2.4	1.1.1.1	0x80a0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.582325935 CET	192.168.2.4	1.1.1.1	0x6bfb	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591583014 CET	192.168.2.4	1.1.1.1	0x5989	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:33.591620922 CET	192.168.2.4	1.1.1.1	0xeddb	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:40.441056967 CET	192.168.2.4	1.1.1.1	0x5dec	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.446943998 CET	192.168.2.4	1.1.1.1	0x1aff	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.449800014 CET	192.168.2.4	1.1.1.1	0x14a0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:55:40.500355959 CET	192.168.2.4	1.1.1.1	0x8bec	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.513489962 CET	192.168.2.4	1.1.1.1	0xd8b7	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 27, 2024 19:55:40.579449892 CET	192.168.2.4	1.1.1.1	0x2fe4	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.612629890 CET	192.168.2.4	1.1.1.1	0xb084	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.625395060 CET	192.168.2.4	1.1.1.1	0xbef	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:55:41.204108000 CET	192.168.2.4	1.1.1.1	0x272	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:41.212488890 CET	192.168.2.4	1.1.1.1	0x45fd	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:56:01.996865988 CET	192.168.2.4	1.1.1.1	0x4f8d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:02.007766962 CET	192.168.2.4	1.1.1.1	0xbb76	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:56:02.623811007 CET	192.168.2.4	1.1.1.1	0xb2cc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:02.632630110 CET	192.168.2.4	1.1.1.1	0x7129	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 19:56:10.253241062 CET	192.168.2.4	1.1.1.1	0x3056	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:56:43.276786089 CET	192.168.2.4	1.1.1.1	0x8446	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:43.285608053 CET	192.168.2.4	1.1.1.1	0xfd72	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 19:56:43.926809072 CET	192.168.2.4	1.1.1.1	0xfddf	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 19:55:12.303356886 CET	1.1.1.1	192.168.2.4	0x2f82	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:12.315578938 CET	1.1.1.1	192.168.2.4	0x7547	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.446322918 CET	1.1.1.1	192.168.2.4	0x8fb2	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.447993994 CET	1.1.1.1	192.168.2.4	0xb3f9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:14.447993994 CET	1.1.1.1	192.168.2.4	0xb3f9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.456186056 CET	1.1.1.1	192.168.2.4	0x3b10	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.493319035 CET	1.1.1.1	192.168.2.4	0x5643	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.505212069 CET	1.1.1.1	192.168.2.4	0x2d1a	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:14.542197943 CET	1.1.1.1	192.168.2.4	0x9a77	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 19:55:14.787182093 CET	1.1.1.1	192.168.2.4	0x7af2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:14.796124935 CET	1.1.1.1	192.168.2.4	0x95bf	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.079786062 CET	1.1.1.1	192.168.2.4	0x631a	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:15.079786062 CET	1.1.1.1	192.168.2.4	0x631a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.105179071 CET	1.1.1.1	192.168.2.4	0xd99f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.244246006 CET	1.1.1.1	192.168.2.4	0xd397	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.257292032 CET	1.1.1.1	192.168.2.4	0xaf97	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.257292032 CET	1.1.1.1	192.168.2.4	0xaf97	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.259057045 CET	1.1.1.1	192.168.2.4	0x8d7	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:15.259057045 CET	1.1.1.1	192.168.2.4	0x8d7	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:15.259057045 CET	1.1.1.1	192.168.2.4	0x8d7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.261029005 CET	1.1.1.1	192.168.2.4	0xd203	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:15.261029005 CET	1.1.1.1	192.168.2.4	0xd203	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:15.287545919 CET	1.1.1.1	192.168.2.4	0x6348	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:16.278095961 CET	1.1.1.1	192.168.2.4	0x1175	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:16.278095961 CET	1.1.1.1	192.168.2.4	0x1175	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:16.287106037 CET	1.1.1.1	192.168.2.4	0xbfd4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:16.308723927 CET	1.1.1.1	192.168.2.4	0xb69b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 19:55:16.827486038 CET	1.1.1.1	192.168.2.4	0x15eb	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:17.619668007 CET	1.1.1.1	192.168.2.4	0x4c82	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:17.642462969 CET	1.1.1.1	192.168.2.4	0x6bb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.924063921 CET	1.1.1.1	192.168.2.4	0x66d1	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:21.924063921 CET	1.1.1.1	192.168.2.4	0x66d1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.926315069 CET	1.1.1.1	192.168.2.4	0x7bba	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:21.926315069 CET	1.1.1.1	192.168.2.4	0x7bba	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:21.926315069 CET	1.1.1.1	192.168.2.4	0x7bba	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.941348076 CET	1.1.1.1	192.168.2.4	0xe73e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.953922987 CET	1.1.1.1	192.168.2.4	0x2ca4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.966474056 CET	1.1.1.1	192.168.2.4	0x53e7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.974455118 CET	1.1.1.1	192.168.2.4	0x24e8	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:21.974455118 CET	1.1.1.1	192.168.2.4	0x24e8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:21.984874964 CET	1.1.1.1	192.168.2.4	0x14a5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:26.611798048 CET	1.1.1.1	192.168.2.4	0x8622	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.541811943 CET	1.1.1.1	192.168.2.4	0x707	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.542382956 CET	1.1.1.1	192.168.2.4	0xc326	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:33.542382956 CET	1.1.1.1	192.168.2.4	0xc326	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.543828011 CET	1.1.1.1	192.168.2.4	0xa318	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:33.543828011 CET	1.1.1.1	192.168.2.4	0xa318	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553251982 CET	1.1.1.1	192.168.2.4	0x79d5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553812981 CET	1.1.1.1	192.168.2.4	0x9c58	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.553848028 CET	1.1.1.1	192.168.2.4	0xb705	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.565207005 CET	1.1.1.1	192.168.2.4	0x4e2e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.565238953 CET	1.1.1.1	192.168.2.4	0xd97e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.565238953 CET	1.1.1.1	192.168.2.4	0xd97e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.565238953 CET	1.1.1.1	192.168.2.4	0xd97e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.565238953 CET	1.1.1.1	192.168.2.4	0xd97e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.571048021 CET	1.1.1.1	192.168.2.4	0xf332	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 27, 2024 19:55:33.581516981 CET	1.1.1.1	192.168.2.4	0x134c	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:33.581516981 CET	1.1.1.1	192.168.2.4	0x134c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.581516981 CET	1.1.1.1	192.168.2.4	0x134c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.581516981 CET	1.1.1.1	192.168.2.4	0x134c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.581516981 CET	1.1.1.1	192.168.2.4	0x134c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.581547976 CET	1.1.1.1	192.168.2.4	0xa7ef	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591095924 CET	1.1.1.1	192.168.2.4	0x80a0	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591126919 CET	1.1.1.1	192.168.2.4	0x6bfb	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591126919 CET	1.1.1.1	192.168.2.4	0x6bfb	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591126919 CET	1.1.1.1	192.168.2.4	0x6bfb	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:33.591126919 CET	1.1.1.1	192.168.2.4	0x6bfb	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.449115038 CET	1.1.1.1	192.168.2.4	0x5dec	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.499057055 CET	1.1.1.1	192.168.2.4	0x1aff	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.499057055 CET	1.1.1.1	192.168.2.4	0x1aff	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.499057055 CET	1.1.1.1	192.168.2.4	0x1aff	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.499057055 CET	1.1.1.1	192.168.2.4	0x1aff	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.508784056 CET	1.1.1.1	192.168.2.4	0x8bec	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.508784056 CET	1.1.1.1	192.168.2.4	0x8bec	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.508784056 CET	1.1.1.1	192.168.2.4	0x8bec	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.508784056 CET	1.1.1.1	192.168.2.4	0x8bec	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.587388992 CET	1.1.1.1	192.168.2.4	0x2fe4	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:40.587388992 CET	1.1.1.1	192.168.2.4	0x2fe4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:40.621028900 CET	1.1.1.1	192.168.2.4	0xb084	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:41.211822033 CET	1.1.1.1	192.168.2.4	0x272	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:55:41.907159090 CET	1.1.1.1	192.168.2.4	0xdd21	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:55:41.907159090 CET	1.1.1.1	192.168.2.4	0xdd21	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:56:02.004467964 CET	1.1.1.1	192.168.2.4	0x4f8d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:02.631397963 CET	1.1.1.1	192.168.2.4	0xb2cc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:56:02.631397963 CET	1.1.1.1	192.168.2.4	0xb2cc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:02.641417980 CET	1.1.1.1	192.168.2.4	0x7129	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 19:56:10.262042999 CET	1.1.1.1	192.168.2.4	0xf619	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:43.284492016 CET	1.1.1.1	192.168.2.4	0x8446	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 19:56:43.936960936 CET	1.1.1.1	192.168.2.4	0xfddf	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 19:56:43.936960936 CET	1.1.1.1	192.168.2.4	0xfddf	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	6492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 19:55:14.558516979 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:15.160928965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82627 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:15.826787949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:15.954040051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82627 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:16.954672098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:17.081316948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82629 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	34.107.221.82	80	6492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 19:55:15.281387091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:15.875931025 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27848 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:16.816567898 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:16.943486929 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27849 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49753	34.107.221.82	80	6492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 19:55:17.377552032 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:17.986421108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27850 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:21.943855047 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:22.069706917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27855 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:26.291918993 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:26.417859077 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27859 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:28.947496891 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:29.073724031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27862 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:29.167114019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:29.295310974 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27862 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:29.401458979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:29.528069019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27862 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:31.227190971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:31.353327990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27864 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:32.067451000 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:32.193999052 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27865 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:41.188235998 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:41.314423084 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27874 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:41.340858936 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:41.466931105 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27874 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:41.911598921 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:55:42.037887096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27874 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:55:52.047821999 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:02.061844110 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:02.897267103 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:56:03.023673058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27895 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:56:11.173006058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:56:11.299844027 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27904 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:56:11.768356085 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:56:11.894999027 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27904 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:56:11.998043060 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:56:12.125416040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27905 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:56:22.141838074 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:32.156199932 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:42.169013977 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:44.053442955 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 19:56:44.179474115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 27937 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 19:56:54.182189941 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:57:04.194324970 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	6492	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 19:55:17.563813925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:18.168382883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82630 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:21.959835052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:22.083616972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:26.603502989 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:26.727132082 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82638 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:28.948909998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:29.072421074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82641 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:29.170842886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:29.293905973 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82641 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:30.811338902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:30.935959101 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82642 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:31.228972912 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:31.352505922 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82643 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:41.060226917 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:41.185671091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:41.214582920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:41.338128090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:41.785367966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:55:41.908623934 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:55:51.916306973 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:01.930140018 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:02.623404980 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:56:02.892913103 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82674 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:56:10.959326982 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:56:11.082633972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82683 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:56:11.626374006 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:56:11.749511957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82683 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:56:11.853960037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:56:11.994791031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82683 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:56:22.010271072 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:32.018126965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:42.030738115 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:56:43.926492929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 19:56:44.049629927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 19:58:08 GMT Age: 82715 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 19:56:54.050493002 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 19:57:04.062644958 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	14:55:05
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa00000
File size:	919'552 bytes
MD5 hash:	55990899D8E850771B61542EA3D37EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:55:05
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:55:05
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:55:07
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:55:07
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:55:08
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	14:55:09
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f88346-6333-4799-959c-912c4b9d23ab} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af85e6d710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:55:12
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -prefsHandle 3292 -prefMapHandle 3320 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19710090-97b7-4bed-989f-fc83a0214d86} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2af97d73f10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:55:21
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5144 -prefMapHandle 4744 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8eb069-afd9-4fee-99d8-1d4b5ab48262} 6492 "\\.\pipe\gecko-crash-server-pipe.6492" 2afa1ba7f10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1512
Total number of Limit Nodes:	51

Executed Functions

Function 00A042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A0430D

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetCurrentProcess.KERNEL32(?,00A9CB64,00000000,?,?), ref: 00A04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A04466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A044A0

Strings

kernel32.dll, xrefs: 00A0444F
GetNativeSystemInfo, xrefs: 00A04460
|O, xrefs: 00A436F8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction ID: 0aa2a0d01a97b9c341f31f59668bd33e645e84415fdd03b614e67b8c30de02f4
Opcode Fuzzy Hash: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction Fuzzy Hash: 9DA1C7B690B3C4FFCB91C7E9BC851957FA5BB66700B18489BD0839FA62D2314607DB21

Function 00A042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042C9
LoadResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435BE
SizeofResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435D3
LockResource.KERNEL32(00A050AA,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20,?), ref: 00A435E6

Strings

SCRIPT, xrefs: 00A042BF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction ID: 56e3dcd90e2db2b343185272d30b45b7a82242fd7a44860966bff67439a31f8f
Opcode Fuzzy Hash: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction Fuzzy Hash: A0117CB1300B04BFDB219BA5EC48FA77BB9FBC9B61F10816AB502D6290DF71D8018630

Function 00A42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00AC2224), ref: 00A42C10
ShellExecuteW.SHELL32(00000000,?,?,00AC2224), ref: 00A42C17

Strings

runas, xrefs: 00A42C0B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction ID: 4addac14d7e714eb3e080a56ebbb206201f5d3d7acee7dc071272eb307f48769
Opcode Fuzzy Hash: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction Fuzzy Hash: 661106726083496ACB04FFA0FA56FBE77A8AB91350F44082EF142460E3CF20894AC713

Function 00A6D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A6D52F
CloseHandle.KERNELBASE(00000000), ref: 00A6D5DC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction ID: 1335366f8ca703f128c0beba125ffc1aaea47c3eb4d5ec1cd84c5f273508bdb4
Opcode Fuzzy Hash: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction Fuzzy Hash: F531D6716083049FD300EF54D981AAFBBF8EF99394F10052DF586871A2EB719949CB93

Function 00A6DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A45222), ref: 00A6DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A6DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A6DBEE
FindClose.KERNEL32(00000000), ref: 00A6DBFA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction ID: 65f20fd1c38f7ddf6431b170db26d7884c4988c7a23b32a6f09825ed7394703e
Opcode Fuzzy Hash: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction Fuzzy Hash: C5F0A030A10D1867C320EBB8AC0D8AA377C9E01374B504703F836C20E0EFB1599686D9

Function 00A24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D09
TerminateProcess.KERNEL32(00000000,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D10
ExitProcess.KERNEL32 ref: 00A24D22

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction ID: e9d1ef9cc7db0d978f3f9defd79c9875ef7eac0cdb6d452a727b7428d7a368d2
Opcode Fuzzy Hash: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction Fuzzy Hash: 4DE0B631104558AFCF11AF98EE0AA597B69EB45B91F104025FC098B122CB35DD42CA90

Function 00A0BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

(>, xrefs: 00A507CE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: (>
API String ID: 3964851224-1398077073
Opcode ID: ff531cbb3b4e40c6344b58c1ac5c4cfc3e8d0a57335cb3b4b639ce6f384bff54
Instruction ID: 749edc8a5d4476a1ea715ee40442636824221a87d27e7f531cfde7ee369c0696
Opcode Fuzzy Hash: ff531cbb3b4e40c6344b58c1ac5c4cfc3e8d0a57335cb3b4b639ce6f384bff54
Instruction Fuzzy Hash: 57A26A706083459FD720DF28D480B6AB7F1BF89314F14896DE99A8B392D771EC45CB92

Function 00A8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1D4
_wcslen.LIBCMT ref: 00A8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B236
_wcslen.LIBCMT ref: 00A8B332

Part of subcall function 00A705A7: GetStdHandle.KERNEL32(000000F6), ref: 00A705C6

_wcslen.LIBCMT ref: 00A8B34B
_wcslen.LIBCMT ref: 00A8B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8B3B6
GetLastError.KERNEL32(00000000), ref: 00A8B407
CloseHandle.KERNEL32(?), ref: 00A8B439
CloseHandle.KERNEL32(00000000), ref: 00A8B44A
CloseHandle.KERNEL32(00000000), ref: 00A8B45C
CloseHandle.KERNEL32(00000000), ref: 00A8B46E
CloseHandle.KERNEL32(?), ref: 00A8B4E3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8059ba10e6ee3156433ae0889ff58bd9ad6af31666f107ba5835e483d33bf3de
Instruction ID: 9c594a20fd0c0362a1a5eea7478b4a0fd5183cc532816647ac8d98493386ab99
Opcode Fuzzy Hash: 8059ba10e6ee3156433ae0889ff58bd9ad6af31666f107ba5835e483d33bf3de
Instruction Fuzzy Hash: EEF1AE316183409FCB14EF24D991B6FBBE1AF85314F14855DF49A9B2A2DB31EC41CB62

Function 00A0D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A0D807
timeGetTime.WINMM ref: 00A0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB28
TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNELBASE(0000000A), ref: 00A0DBB1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d071e4a93f7d0e65245a4bc8cec64589aa510ec466a25a45c8fc2f209dc37cfb
Instruction ID: 1bf6ef4873c5ae23f5a9e190bb3ad8d046ccdd1e3d82c6a06966152c7034f800
Opcode Fuzzy Hash: d071e4a93f7d0e65245a4bc8cec64589aa510ec466a25a45c8fc2f209dc37cfb
Instruction Fuzzy Hash: BC42F131608345EFD728CF64D844BAAB7F0BF46354F148A1EE956872D1D770E889CB92

Function 00A02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02D07
RegisterClassExW.USER32(00000030), ref: 00A02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
LoadIconW.USER32(000000A9), ref: 00A02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

TaskbarCreated, xrefs: 00A02D37
0, xrefs: 00A02CE9
+, xrefs: 00A02CF0
AutoIt v3 GUI, xrefs: 00A02D23

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction ID: 63d1dabe4cbacc2aa871bd7113aa53a19cb545fc6d5e817957ca7e7c7c81689d
Opcode Fuzzy Hash: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction Fuzzy Hash: 4221C3B5A02218AFDB00DFE4E859BDDBBB8FB08714F00411BF512A62A0DBB14546CF91

Function 00A4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

GetLastError.KERNEL32 ref: 00A4076F
__dosmaperr.LIBCMT ref: 00A40776
GetFileType.KERNELBASE(00000000), ref: 00A40782
GetLastError.KERNEL32 ref: 00A4078C
__dosmaperr.LIBCMT ref: 00A40795
CloseHandle.KERNEL32(00000000), ref: 00A407B5
CloseHandle.KERNEL32(?), ref: 00A408FF
GetLastError.KERNEL32 ref: 00A40931
__dosmaperr.LIBCMT ref: 00A40938

Strings

H, xrefs: 00A408BD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction ID: 4dfd296709553267e007aca3668e0f0c41b9e221fe0ada27c743bd018043e6e0
Opcode Fuzzy Hash: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction Fuzzy Hash: 33A1273AA005048FDF19EF78D951FAE7BB0EB86320F24015AF9119F292DB359813DB91

Function 00A0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A03379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A431CE
RegCloseKey.ADVAPI32(?), ref: 00A43210
_wcslen.LIBCMT ref: 00A43277
_wcslen.LIBCMT ref: 00A43286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00A03560
\Include\, xrefs: 00A03527
Include, xrefs: 00A43184, 00A431C5
\, xrefs: 00A4328C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3617bc88eb3f01959aa063757a0d20871b54247dcc503e24dc3ec410ed8084cd
Instruction ID: f6b34dd93939e3c71208086e2bc97ac99a7ae29da238563778fa9b8d205908bc
Opcode Fuzzy Hash: 3617bc88eb3f01959aa063757a0d20871b54247dcc503e24dc3ec410ed8084cd
Instruction Fuzzy Hash: 2971D6715053049FD704EFA9ED81AABB7F8FFA4750F40052EF5468B1A0EB709A49CB62

Function 00A02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A02B9D
LoadIconW.USER32(00000063), ref: 00A02BB3
LoadIconW.USER32(000000A4), ref: 00A02BC5
LoadIconW.USER32(000000A2), ref: 00A02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A02BEF
RegisterClassExW.USER32(?), ref: 00A02C40

Part of subcall function 00A02CD4: GetSysColorBrush.USER32(0000000F), ref: 00A02D07
Part of subcall function 00A02CD4: RegisterClassExW.USER32(00000030), ref: 00A02D31
Part of subcall function 00A02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
Part of subcall function 00A02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
Part of subcall function 00A02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
Part of subcall function 00A02CD4: LoadIconW.USER32(000000A9), ref: 00A02D85
Part of subcall function 00A02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

AutoIt v3, xrefs: 00A02C2F
0, xrefs: 00A02C0F
#, xrefs: 00A02C16

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction ID: 66808110944748f7b6b82e81369c6ca6b82059e3427bedd3c6daf9dcd245a784
Opcode Fuzzy Hash: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction Fuzzy Hash: 03211875E02318BBDB50DFE5EC59AA97FB4FB48B54F40011BE506AA6A0DBB10542CF90

Function 00A03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A0316A,?,?), ref: 00A031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A0316A,?,?), ref: 00A03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A0316A,?,?), ref: 00A03232
CreatePopupMenu.USER32 ref: 00A03246
PostQuitMessage.USER32(00000000), ref: 00A03267

Strings

TaskbarCreated, xrefs: 00A0322D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction ID: fd01530455baaebe9f795d006da803d08305b7b1f293689b2508f65e75cfddf2
Opcode Fuzzy Hash: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction Fuzzy Hash: 4341193A340208BBDF149BF8BD69BB93B6DEB5D350F040217F503862E1DB618A419761

Function 00A01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A01459
CoUninitialize.COMBASE ref: 00A014F8
UnregisterHotKey.USER32(?), ref: 00A016DD
DestroyWindow.USER32(?), ref: 00A424B9
FreeLibrary.KERNEL32(?), ref: 00A4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A4254B

Strings

close all, xrefs: 00A01454

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 20a3922ca13ba5deb03a555b6d9c01a214dc9ded7b645ad5c2e560873da81e58
Instruction ID: b828d68ff5682bff27a73075514f4e06f8ca88394151b018a780492faf5370f8
Opcode Fuzzy Hash: 20a3922ca13ba5deb03a555b6d9c01a214dc9ded7b645ad5c2e560873da81e58
Instruction Fuzzy Hash: 04D1AD35701212CFCB19EF14D995BA9F7A0BF44310F5582ADF44A6B2A2DB31AC12CF91

Function 00A02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CCF

Strings

AutoIt v3, xrefs: 00A02C89, 00A02C8E, 00A02C8F
edit, xrefs: 00A02CAC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction ID: 8956243da50682672bda2516b448a0ba84e2d289232c7beb0ce66f754cdb3823
Opcode Fuzzy Hash: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction Fuzzy Hash: C4F0DA796412907BEB719797AC0CEB73FBDD7C6F60B00005BF905AA5A0D6611852DAB0

Function 00A010F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Part of subcall function 00A01B4A: RegisterWindowMessageW.USER32(00000004,?,00A012C4), ref: 00A01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A0136A
OleInitialize.OLE32 ref: 00A01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A424AB

Strings

pN, xrefs: 00A01292

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: pN
API String ID: 1986988660-805884423
Opcode ID: 8fa47585e86ba49f98233c5e4d3a14d7d8f574c3d090f2f74795a566ffff9cc2
Instruction ID: c87d053c80840732456209aabc0b01ae1909ea73c51b31732c3577f3c8af908a
Opcode Fuzzy Hash: 8fa47585e86ba49f98233c5e4d3a14d7d8f574c3d090f2f74795a566ffff9cc2
Instruction Fuzzy Hash: C0718BB4A12304AFC784EFF9BA456993BE1FB89354754826BD41BC73A2EB384442CF51

Function 00A03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B83

Strings

Control Panel\Mouse, xrefs: 00A03B3E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction ID: 871ab383ea39851247695e35cf4392e119709e1d1bd33380329126ccbd5af492
Opcode Fuzzy Hash: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction Fuzzy Hash: 1F112AB6610208FFDF20CFA5EC85AAEBBBCEF05758B10445AA806D7150E6719E459760

Function 00A03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A433A2

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Strings

Line: , xrefs: 00A433EB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e38a4a8da0844889836e2fc61b659ec82b6b68e5113931de4a39a09c464f1f36
Instruction ID: f8fe95aae5edcb403aece39de2d8f1f3d565c5d7bac609c958296d746e602f4d
Opcode Fuzzy Hash: e38a4a8da0844889836e2fc61b659ec82b6b68e5113931de4a39a09c464f1f36
Instruction Fuzzy Hash: 6931E272508308ABCB20EB64EC45BEBB3ECAB40314F00492BF59A861D1DB709649C7C2

Function 00A1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20668

Part of subcall function 00A232A4: RaiseException.KERNEL32(?,?,?,00A2068A,?,00AD1444,?,?,?,?,?,?,00A2068A,00A01129,00AC8738,00A01129), ref: 00A23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

Strings

Unknown exception, xrefs: 00A20692

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4bb3447e6b5b9ef612277afd45bdeaecb5e65e68034c43afe0d1327ff160a76f
Instruction ID: 367688f4346185c3cf79a5205a466dc388effbb69bf0764e103ce6940c60ddbb
Opcode Fuzzy Hash: 4bb3447e6b5b9ef612277afd45bdeaecb5e65e68034c43afe0d1327ff160a76f
Instruction Fuzzy Hash: C5F0C23490021DBBCF04B7ACF946DEE7B6C6E00354B604535B824D6593EF75DA65C6C0

Function 00A6C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A6C259
KillTimer.USER32(?,00000001,?,?), ref: 00A6C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A6C270

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction ID: d63afa22550d45b5d86e4fc41deaf59edba9e585cc9dfd2e61bdfc22742088e2
Opcode Fuzzy Hash: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction Fuzzy Hash: 7331C370A04344AFEB22DFB488A5BE7BBFC9F06314F00049AD6EA97241C7745A85CB51

Function 00A386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A385CC,?,00AC8CC8,0000000C), ref: 00A38704
GetLastError.KERNEL32(?,00A385CC,?,00AC8CC8,0000000C), ref: 00A3870E
__dosmaperr.LIBCMT ref: 00A38739

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction ID: d003ac3d34d1d1b2258ec764d9119dcffc71e57fd258b6187af31ce948dab4df
Opcode Fuzzy Hash: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction Fuzzy Hash: B5014E32A0572017D634A378AA47B7E77594B82774F39011AF8158F1D2DFA8CC819150

Function 00A0DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNELBASE(0000000A), ref: 00A0DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A51CC9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction ID: cc4cd7a467ef15d463a3680325714ec18b1c711850a6e9849b93d1ba902e0e30
Opcode Fuzzy Hash: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction Fuzzy Hash: DCF0FE316443849BE730DBE09C89FEA73ADEB85711F504A1AE65A970D0DB309489DB25

Function 00A11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A117F6

Strings

CALL, xrefs: 00A117C6

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8af20ac32f92ca53a3f4d0fb97d0104ac959cf7282248c1495d9c7d282558d02
Instruction ID: 443232628dff59a4adad29b273aafec6707e8138955d8da7baa7df5cf4d2638b
Opcode Fuzzy Hash: 8af20ac32f92ca53a3f4d0fb97d0104ac959cf7282248c1495d9c7d282558d02
Instruction Fuzzy Hash: C5228C706083419FC714DF14C580BAABBF2BF85314F64895DF9968B3A1D735E885CB92

Function 00A02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A42C8C

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A02DC4

Strings

X, xrefs: 00A42C5A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction ID: ffb88907bf82efbd0f65d6fc680176a835dc291e998e24cdf0ef4dd8e868a1ab
Opcode Fuzzy Hash: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction Fuzzy Hash: 7621A571A0025C9FCF01EF94D949BEE7BFCAF49314F00405AE405AB281DBB45A898F61

Function 00A03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction ID: 2b04cc4bab64a189971fda547cc30ab93150df857524d6116e327c4227e83765
Opcode Fuzzy Hash: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction Fuzzy Hash: C931C3756057059FD760DF64E884797BBF8FB49308F00096EF59A87280E771AA48CB52

Function 00A1F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A1F661

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

Sleep.KERNEL32(00000000), ref: 00A5F2DE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction ID: afb730434a9b242ab5946043b36dab6f9045a8c8aa6547cc0b1660a18baa7af7
Opcode Fuzzy Hash: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction Fuzzy Hash: 57F082312406059FD310EFA5E945B5AB7E4FF49761F00006AE85EC73A0DB70BC00CB90

Function 00A04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
Part of subcall function 00A04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
Part of subcall function 00A04E90: FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EFD

Part of subcall function 00A04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
Part of subcall function 00A04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
Part of subcall function 00A04E59: FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction ID: 51af687baab1a4e265d43a19a9ccde6316dee1904ea769521e1c3d6f09c06a2e
Opcode Fuzzy Hash: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction Fuzzy Hash: 3D11E7B261020AABDF14FF74EE02FED77A5BF44B11F10842DF642A61C1DEB09A459B50

Function 00A38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A38440

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction ID: 8caa7f04de6f9bca9a4e606dd1f22b824634d11c0e2dbac7f9453d4c0d02c4e3
Opcode Fuzzy Hash: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction Fuzzy Hash: 1311187590420AAFCF15DF58E94199A7BF5EF48314F104059F809AB312DB31DA11CBA5

Function 00A2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9c3f92c0cf512e1e242c298e024df341261f17db75382bc530039d325ca09794
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D4F0F432511A309AD6317B6DBE05B5A33A89F52331F100735F420921D2DB78E84186A5

Function 00A33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction ID: d37f692ec18d1e0c89c1b403ea44a783e591a11daedd38ab7867de807c1cf630
Opcode Fuzzy Hash: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction Fuzzy Hash: 2BE0E53310A234A6EE212BBBAD01B9A3758AF427B0F150131BC05964A0CB10DD0282E4

Function 00A04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04F6D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction ID: 30e5c6b6026c9c4e361b247a51ccda9b7bdc998689cf44964cfe998392076551
Opcode Fuzzy Hash: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction Fuzzy Hash: 19F015B1505756CFDB349F64E590822BBF4BF187293208A7EE3EA82661CB319884DB10

Function 00A92A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A92A66

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 06af40955b21c9d79bca324f5748dcafc30626cffd1c51e867fa414b5640c1f1
Instruction ID: 5742a2ea5337e2ad3c3cfc3f8a09eb64738c83dcf9b9fcc8c00db6543f1cd32c
Opcode Fuzzy Hash: 06af40955b21c9d79bca324f5748dcafc30626cffd1c51e867fa414b5640c1f1
Instruction Fuzzy Hash: A7E04F77354116BACB14EB30DC809FA73ECEF643D57104536AC1AC2500DB30999687A0

Function 00A030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction ID: d39509ee77e71bd884e84eaca8c56dd39f8038d8bbc0b0f344748ca9b425c1f6
Opcode Fuzzy Hash: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction Fuzzy Hash: C5F0A770A00318AFEB92DB64EC497D57BFCA701708F0000E6A5499A181DB705789CF41

Function 00A02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A02DC4

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction ID: 6566185803e67556612a276c8b51820e0020f7912491c16ce22cd429194f0c0b
Opcode Fuzzy Hash: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction Fuzzy Hash: 93E0CD76A001245BC710E7989C05FDA77DDDFC8794F040072FD09D7248DD60AD858550

Function 00A02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction ID: 281d8908d99a624cb637db702ff15ba656ad4474175c1c60e6a16643bf189cc0
Opcode Fuzzy Hash: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction Fuzzy Hash: 05E086A370425C17CA04FBB4BA5657EB75D9BD1351F40597FF143472E3CE24454A4352

Function 00A4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction ID: 03c36797434889da4b155c260a1187f76be99695321f7e6a61d8c5ae7b4b0695
Opcode Fuzzy Hash: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction Fuzzy Hash: 78D06C3214010DBBDF028F84DD06EDA3BAAFB48714F114100BE1856020C732E822AB94

Function 00A01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A01CBC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction ID: 59097b5840b3358e49b4d7c9daea18973e2846f5b55eaa61ad691f6ae073eab7
Opcode Fuzzy Hash: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction Fuzzy Hash: 2AC092363C1304AFF214CBC4BC4EF107764A358B14F448003F60AA95E3C7A22822EB50

Non-executed Functions

Function 00A99576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A996C9
SendMessageW.USER32 ref: 00A996F2
GetKeyState.USER32(00000011), ref: 00A9978B
GetKeyState.USER32(00000009), ref: 00A99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A997AE
GetKeyState.USER32(00000010), ref: 00A997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A997E9
SendMessageW.USER32 ref: 00A99810
SendMessageW.USER32(?,00001030,?,00A97E95), ref: 00A99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A99941
SetCapture.USER32(?), ref: 00A9994A
ClientToScreen.USER32(?,?), ref: 00A999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A999D6
ReleaseCapture.USER32 ref: 00A999E1
GetCursorPos.USER32(?), ref: 00A99A19
ScreenToClient.USER32(?,?), ref: 00A99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99A80
SendMessageW.USER32 ref: 00A99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99AEB
SendMessageW.USER32 ref: 00A99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A99B4A
GetCursorPos.USER32(?), ref: 00A99B68
ScreenToClient.USER32(?,?), ref: 00A99B75
GetParent.USER32(?), ref: 00A99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99BFA
SendMessageW.USER32 ref: 00A99C2B
ClientToScreen.USER32(?,?), ref: 00A99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99CDE
SendMessageW.USER32 ref: 00A99D01
ClientToScreen.USER32(?,?), ref: 00A99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A99D82

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetWindowLongW.USER32(?,000000F0), ref: 00A99E05

Strings

@GUI_DRAGID, xrefs: 00A9997D
F, xrefs: 00A99D07
(>, xrefs: 00A99990

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: (>$@GUI_DRAGID$F
API String ID: 3429851547-4004422186
Opcode ID: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction ID: 3796936e9d7cf018c011c0c15892c0b46a120e98897f48e4c6c46c06b9d3001e
Opcode Fuzzy Hash: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction Fuzzy Hash: 91427C35304241BFDB24CF68CD94AABBBE5FF49720F14061EF699872A1DB31A891CB51

Function 00A94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A7E
IsMenu.USER32(?), ref: 00A94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94B20
GetWindowLongW.USER32(?,000000F0), ref: 00A94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A94C82
wsprintfW.USER32 ref: 00A94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94D5A

Strings

%d/%02d/%02d, xrefs: 00A94CA8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d21564c7ce774b6e71cf0c5e31204aee7e1b628dbc54b35041dbc49e6273cabe
Instruction ID: bea6ee4040a9b7e767055bba1ea168c7e1979756aa8fd93c906e64e85412a857
Opcode Fuzzy Hash: d21564c7ce774b6e71cf0c5e31204aee7e1b628dbc54b35041dbc49e6273cabe
Instruction Fuzzy Hash: 7E12CE71700255ABEF248F68CC49FAE7BF8AF49710F14412AF516EB2E1DB789942CB50

Function 00A1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5F474
IsIconic.USER32(00000000), ref: 00A5F47D
ShowWindow.USER32(00000000,00000009), ref: 00A5F48A
SetForegroundWindow.USER32(00000000), ref: 00A5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4AA
GetCurrentThreadId.KERNEL32 ref: 00A5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A5F4DE
SetForegroundWindow.USER32(00000000), ref: 00A5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F4F6
keybd_event.USER32(00000012,00000000), ref: 00A5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F50B
keybd_event.USER32(00000012,00000000), ref: 00A5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F519
keybd_event.USER32(00000012,00000000), ref: 00A5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F528
keybd_event.USER32(00000012,00000000), ref: 00A5F52D
SetForegroundWindow.USER32(00000000), ref: 00A5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A5F557

Strings

Shell_TrayWnd, xrefs: 00A5F46F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction ID: 68c9170181f9d94a10e578f751e1eb8cdd7ee14d2c9f42308a0e4ab92786274e
Opcode Fuzzy Hash: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction Fuzzy Hash: 7B315371B802187FEB20ABF55C49FBF7E7DEB44B61F110426FA04E61D1DAB15D01AA60

Function 00A61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A612A8
CloseHandle.KERNEL32(?), ref: 00A612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A612D1
GetProcessWindowStation.USER32 ref: 00A612EA
SetProcessWindowStation.USER32(00000000), ref: 00A612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A61310

Part of subcall function 00A610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
Part of subcall function 00A610BF: CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Strings

, xrefs: 00A6125A
winsta0, xrefs: 00A612CC
default, xrefs: 00A6130B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: a47f0c68cd255f9b97dd2d6410c675acb512419187d54529479eb5b3b69986cb
Instruction ID: 82802d046cc1d5d7bdc951cd94582154360f68a82fcd2e4928deba59f098a624
Opcode Fuzzy Hash: a47f0c68cd255f9b97dd2d6410c675acb512419187d54529479eb5b3b69986cb
Instruction Fuzzy Hash: 1081ACB1A00208AFDF21DFA4DD49FEE7FB9EF04704F18412AFA11A61A0DB718945CB21

Function 00A60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60C00
GetLengthSid.ADVAPI32(?), ref: 00A60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60C6D
GetLengthSid.ADVAPI32(?), ref: 00A60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60C8C
HeapAlloc.KERNEL32(00000000), ref: 00A60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60CB4
CopySid.ADVAPI32(00000000), ref: 00A60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D45
HeapFree.KERNEL32(00000000), ref: 00A60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D55
HeapFree.KERNEL32(00000000), ref: 00A60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D65
HeapFree.KERNEL32(00000000), ref: 00A60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60D78
HeapFree.KERNEL32(00000000), ref: 00A60D7F

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction ID: c8c94d140490d13fae205c7829b31506447b81d1d39aac262cddd7bb91d3851d
Opcode Fuzzy Hash: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction Fuzzy Hash: 90715A72A0021AEFDF10DFE4DC44FAFBBB8BF05310F144616E915A6191DB71AA46CBA0

Function 00A7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A9CC08), ref: 00A7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A7EB37
GetClipboardData.USER32(0000000D), ref: 00A7EB43
CloseClipboard.USER32 ref: 00A7EB4F
GlobalLock.KERNEL32(00000000), ref: 00A7EB87
CloseClipboard.USER32 ref: 00A7EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A7EBC9
GetClipboardData.USER32(00000001), ref: 00A7EBD1
GlobalLock.KERNEL32(00000000), ref: 00A7EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A7EC38
GetClipboardData.USER32(0000000F), ref: 00A7EC44
GlobalLock.KERNEL32(00000000), ref: 00A7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A7ECF3
CountClipboardFormats.USER32 ref: 00A7ED14
CloseClipboard.USER32 ref: 00A7ED59

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction ID: f4b48c8c64bb1827f052ff54f614680822f35a4eb30b03fcbeafafe2aeef3b1f
Opcode Fuzzy Hash: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction Fuzzy Hash: BB61E2352042059FD310EF64DD84F6A7BE8AF88714F04C59AF55A872A2DF30DD06CBA2

Function 00A7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A769BE
FindClose.KERNEL32(00000000), ref: 00A76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A75

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76ADF

Strings

%02d, xrefs: 00A76C00, 00A76C0A, 00A76C5A, 00A76CAA, 00A76CFA, 00A76D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00A76B6A
%4d, xrefs: 00A76BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A76B32
%03d, xrefs: 00A76DA2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction ID: ab5b96af7c2bb8b89f1d8b5c09ce0fc754a8eee1510ad17d83a7a2e3c052e2fc
Opcode Fuzzy Hash: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction Fuzzy Hash: 46D14071508344AEC710EBA4DD81EABB7ECAF88704F44491DF589D6191EB74EA48CB62

Function 00A79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A79663
GetFileAttributesW.KERNEL32(?), ref: 00A796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A796D3
FindClose.KERNEL32(00000000), ref: 00A796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7974A
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A79772
FindClose.KERNEL32(00000000), ref: 00A7977F
FindClose.KERNEL32(00000000), ref: 00A7978F

Strings

*.*, xrefs: 00A796F5

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction ID: 8782566e2d4e40dfffba7549a72c7fded9ed8d80de69308d6c5494541addf8e7
Opcode Fuzzy Hash: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction Fuzzy Hash: 7D319132641619BBDB14EFB4EC49EDF77ACAF09320F10C567E819E2190EB30DD458A24

Function 00A7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A79819
FindClose.KERNEL32(00000000), ref: 00A79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A79890
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A798B8
FindClose.KERNEL32(00000000), ref: 00A798C5
FindClose.KERNEL32(00000000), ref: 00A798D5

Part of subcall function 00A6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A6DB00

Strings

*.*, xrefs: 00A7983B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction ID: 408d5e6d0a3d2db329299921105107be86ee06ea27ee109cd17b14c9b404e570
Opcode Fuzzy Hash: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction Fuzzy Hash: 75319232641A19BADB10EFB4EC48ADF77ACAF06320F14C5A7E818A2190DB30DD458B65

Function 00A8BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A8BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A8BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A8C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8C382
RegCloseKey.ADVAPI32(00000000), ref: 00A8C38F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b5b4debda4d6ba60eec263eac99960c254f24de3e43c20a5954fb942ddccc3f8
Instruction ID: b10af756255bc04c681f09170a71799d8b674ec8f413cb4103f5a9d6475e3950
Opcode Fuzzy Hash: b5b4debda4d6ba60eec263eac99960c254f24de3e43c20a5954fb942ddccc3f8
Instruction Fuzzy Hash: 3A024C71604200AFD714DF24C995E2ABBE5EF49318F18859DF84ACB2A2DB31ED46CF61

Function 00A78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78395

Strings

*.*, xrefs: 00A7839B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction ID: 9f9647d03d5cb6347370f647a1f15fa05edc008e296b7e9e93017e79f9f61b54
Opcode Fuzzy Hash: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction Fuzzy Hash: 6B617B726083059FC710EF64D9449AFB3E8FF89324F04892EF99987251DB35E945CB92

Function 00A6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A6D1DD
MoveFileW.KERNEL32(?,?), ref: 00A6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D237

Part of subcall function 00A6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A6D21C,?,?), ref: 00A6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A6D253
FindClose.KERNEL32(00000000), ref: 00A6D264

Strings

\*.*, xrefs: 00A6D0CD, 00A6D0D6, 00A6D0EB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction ID: cf15d13d552c6397f36c12c50bc8046a2165bd37a110cd98e86bd1a54fcbfebf
Opcode Fuzzy Hash: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction Fuzzy Hash: ED616E31E0110DAFCF05EBE0DA929EEB7B9AF55340F208165E40277192EB316F09DB61

Function 00A7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A7ED91
EmptyClipboard.USER32 ref: 00A7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A7EDAC
CloseClipboard.USER32 ref: 00A7EEA3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction ID: d3c94999622950d7402e0ff0a0b42703276a031d8f010414938b9865a329a6e7
Opcode Fuzzy Hash: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction Fuzzy Hash: 3841A335604611AFD720DF55E848F5ABBE5FF48328F14C49AE4198F6A2CB35EC42CB90

Function 00A6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

ExitWindowsEx.USER32(?,00000000), ref: 00A6E932

Strings

, xrefs: 00A6E95C
SeShutdownPrivilege, xrefs: 00A6E902
@, xrefs: 00A6E925
, xrefs: 00A6E920

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction ID: e81424ea23c5475c83394ae6ec424a7f55874f8d4ac7f179332625150f6712dd
Opcode Fuzzy Hash: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction Fuzzy Hash: 3401D67B710211ABFB54E7B49C86FBBB37CAF14750F150822F912E21D1E9A15C4081A0

Function 00A81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A81276
WSAGetLastError.WSOCK32 ref: 00A81283
bind.WSOCK32(00000000,?,00000010), ref: 00A812BA
WSAGetLastError.WSOCK32 ref: 00A812C5
closesocket.WSOCK32(00000000), ref: 00A812F4
listen.WSOCK32(00000000,00000005), ref: 00A81303
WSAGetLastError.WSOCK32 ref: 00A8130D
closesocket.WSOCK32(00000000), ref: 00A8133C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction ID: bba3b30be8bb6ad7fee0353ffeaba8c2a91a2e72e9bfd151660af15577c2aa18
Opcode Fuzzy Hash: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction Fuzzy Hash: 4141A4316002009FD710EF64D588B69BBE9FF46328F188199D8568F2D6D771ED82CBE1

Function 00A6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D481
FindClose.KERNEL32(00000000), ref: 00A6D498
FindClose.KERNEL32(00000000), ref: 00A6D4A1

Strings

\*.*, xrefs: 00A6D3F2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction ID: c761fe50585831eeb19383369acf1d5d62247898e106155e963818a8e1d8dfad
Opcode Fuzzy Hash: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction Fuzzy Hash: 6A317E31508349ABC304EF64D9959AFB7B8AEA1354F444A1EF4D5931D1EF30AE09CB63

Function 00A3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A3E645

Strings

1#IND, xrefs: 00A3F83D
1#INF, xrefs: 00A3F852
1#QNAN, xrefs: 00A3F84B
1#SNAN, xrefs: 00A3F844

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction ID: 72fe6640faeb1650dcb490c15d966699d615cb56d551334843da0872e9ff3513
Opcode Fuzzy Hash: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction Fuzzy Hash: B8C23A71E186298FDB25CF28DD407EAB7B5EB49305F1441EAE84DE7281E774AE818F40

Function 00A7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A764DC
CoInitialize.OLE32(00000000), ref: 00A76639
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A76650
CoUninitialize.OLE32 ref: 00A768D4

Strings

.lnk, xrefs: 00A764BA, 00A76524, 00A765E0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction ID: c20675d3c7d2bb5341c0db9faae39a46688f4571bc4b751a136ae612757c4049
Opcode Fuzzy Hash: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction Fuzzy Hash: B7D14971508705AFD304EF24D981A6BB7E8FF98704F00896DF5998B292DB70ED09CB92

Function 00A822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A822E8

Part of subcall function 00A7E4EC: GetWindowRect.USER32(?,?), ref: 00A7E504

GetDesktopWindow.USER32 ref: 00A82312
GetWindowRect.USER32(00000000), ref: 00A82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A82355
GetCursorPos.USER32(?), ref: 00A82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A823DF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction ID: 203801514e02d8e13ac83caba65dd5d7319090402c0f9c62c08b763b9d3e984b
Opcode Fuzzy Hash: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction Fuzzy Hash: A331E372604315AFC720EF54C845F6BB7E9FF84710F00091AF9859B181DB34E909CB92

Function 00A79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A79C8B

Part of subcall function 00A73874: GetInputState.USER32 ref: 00A738CB
Part of subcall function 00A73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A79C75

Strings

*.*, xrefs: 00A79B5D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction ID: ce81f34bc8226e725baaf58b6617ed3107c54d36c69d32a26f3faafbb3e63233
Opcode Fuzzy Hash: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction Fuzzy Hash: B2415E7190060AAFCF15DFA4DD95AEFBBB8EF05310F24C156E409A2191EB309E84CF61

Function 00A1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A19A4E
GetSysColor.USER32(0000000F), ref: 00A19B23
SetBkColor.GDI32(?,00000000), ref: 00A19B36

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction ID: a8a9e65be283d2df8af743040be4f942121dcbd2f323bd9aa55ea1a240e20ec4
Opcode Fuzzy Hash: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction Fuzzy Hash: 94A13A70208414BEE725DB3CADB8DFF36EDEF46381B14010AF802D6591CA359D8AD272

Function 00A81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A8185D
WSAGetLastError.WSOCK32 ref: 00A81884
bind.WSOCK32(00000000,?,00000010), ref: 00A818DB
WSAGetLastError.WSOCK32 ref: 00A818E6
closesocket.WSOCK32(00000000), ref: 00A81915

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction ID: 93c76d8c61df6a59e72af3c6e88f902f62194c04e0702dc9f6adc82254ac4ebb
Opcode Fuzzy Hash: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction Fuzzy Hash: 0451C671A00204AFDB10EF64D986F6A77E5AB44718F048498F9065F3D3DB71AD82CBE1

Function 00A91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A91CC0
IsWindowEnabled.USER32 ref: 00A91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A91CDB
IsIconic.USER32 ref: 00A91CE9
IsZoomed.USER32 ref: 00A91CF7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction ID: 5a070d1f0d2e04be60df7504d3adbc50dc200f0380ff4a81dfabaae95c19d07e
Opcode Fuzzy Hash: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction Fuzzy Hash: 4121A4317806125FDB208F2AD884F6A7BE5EF95325F198069E846CB351DB71EC42CB90

Function 00A08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A45DF0
VUUU, xrefs: 00A0843C
VUUU, xrefs: 00A083E8
ERCP, xrefs: 00A0813C
VUUU, xrefs: 00A083FA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction ID: de6f712b2687357583e77d70d9b9a218ddf61e512383a0c94a65706ce9e2bf47
Opcode Fuzzy Hash: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction Fuzzy Hash: EAA2B074E0061ECBDF24CF58D8407AEB7B1BF84310F2481AAE855AB285EB759D81CF95

Function 00A6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A6AAAC
SetKeyboardState.USER32(00000080), ref: 00A6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A6AB88

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction ID: 70b33c26155c41b25e59f7032e3c27d8a90bb76fca780f962c5419d4d4ff4da2
Opcode Fuzzy Hash: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction Fuzzy Hash: 1D31F430A40648AEFB35CB658C05BFE7BBAEB65320F04421BF591A61D1D7758D81CB62

Function 00A3BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3BB7F

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

GetTimeZoneInformation.KERNEL32 ref: 00A3BB91
WideCharToMultiByte.KERNEL32(00000000,?,00AD121C,000000FF,?,0000003F,?,?), ref: 00A3BC09
WideCharToMultiByte.KERNEL32(00000000,?,00AD1270,000000FF,?,0000003F,?,?,?,00AD121C,000000FF,?,0000003F,?,?), ref: 00A3BC36

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 7ef7c8bfcf21108d3a0adcec1a14d0e312fd87fa4c59ff482c4b3e46e31c92a2
Instruction ID: 47c8180837f0eebe1a119975d8a32689a6aadfdc3533dd969abfb7aa4b6e966b
Opcode Fuzzy Hash: 7ef7c8bfcf21108d3a0adcec1a14d0e312fd87fa4c59ff482c4b3e46e31c92a2
Instruction Fuzzy Hash: 3C31B070904205EFCB11DFA9DC819A9BBB9FF45720B1446ABF161DB2A1DB319E42CB60

Function 00A7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A7CE89
GetLastError.KERNEL32(?,00000000), ref: 00A7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A7CEFE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction ID: d72aceda207dcb840fe8e5db94f25cff25c327f7417f405239877efd97e1c41b
Opcode Fuzzy Hash: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction Fuzzy Hash: 3F219AB1600705ABEB20DFA5DD48BA7B7F8EB40364F10C42EE54A92151EB70EE458B64

Function 00A68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A682AA

Strings

|, xrefs: 00A682DA
(, xrefs: 00A682F0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3ef58a79777225e8535d8fa202ac5757d0970c6dcc4aa2d8f2b61bde57241b90
Instruction ID: 16cfa3c30f9a02ef9e1ef5d5589739212289e2196a6812f0e7fa3049fbb41920
Opcode Fuzzy Hash: 3ef58a79777225e8535d8fa202ac5757d0970c6dcc4aa2d8f2b61bde57241b90
Instruction Fuzzy Hash: B7323574A00605DFCB28CF59C080AAAB7F4FF48710B15C56EE59ADB3A1EB74E981CB40

Function 00A75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A75D17
FindClose.KERNEL32(?), ref: 00A75D5F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f8a680d2b511c6bcc0d2ef5d6552ab7cfca9c4c0be6b71830f40abfa8d0dcaef
Instruction ID: 01ff93a2070f710ce1475974ccf74431c687a5b3e87ce893c82544b9367b2529
Opcode Fuzzy Hash: f8a680d2b511c6bcc0d2ef5d6552ab7cfca9c4c0be6b71830f40abfa8d0dcaef
Instruction Fuzzy Hash: C4519874A04A019FC714CF28D894A9AB7E4FF09324F14855EE95A8B3A2DB70FC04CB91

Function 00A32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A32731

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction ID: 81758ca0a71427e773f9808ce0d6a4fe4e61bc68011f750a0e1def995949f012
Opcode Fuzzy Hash: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction Fuzzy Hash: 3931B774911228ABCB21DF68DD89BDDB7B8BF08310F5041EAE81CA7261E7309F818F45

Function 00A751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A75238
SetErrorMode.KERNEL32(00000000), ref: 00A752A1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction ID: 96ec4b32ac6f2f6e4b3d7101ff553530f550592a113f720787b3e165b273d8ec
Opcode Fuzzy Hash: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction Fuzzy Hash: 7B313075A00518DFDB00DF94D884EEDBBB4FF49314F148099E909AB3A2DB71E856CB91

Function 00A616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20668
Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
GetLastError.KERNEL32 ref: 00A6174A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b99d59f1d3eb7a5385738454c296f315fb797045a99d4206ef29b6b944f31baa
Instruction ID: cafab7c012290eb4c5e0f622d441ddaf9217efa06ab582967898ffce393c76eb
Opcode Fuzzy Hash: b99d59f1d3eb7a5385738454c296f315fb797045a99d4206ef29b6b944f31baa
Instruction Fuzzy Hash: 9D1191B2504304AFD718DF54EC86DABBBB9EB44764B24852EE05657641EB70BC418B60

Function 00A6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D650

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction ID: ac9f3fe9b2170a0bc570e220fc66162fdef2d61850da9a04a7a1b0f2e1604a62
Opcode Fuzzy Hash: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction Fuzzy Hash: 92115E75E05228BFDB10CF99DC45FAFBBBCEB45B60F108116F904E7290D6704A058BA1

Function 00A61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A616A1
FreeSid.ADVAPI32(?), ref: 00A616B1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction ID: bef22bac277665b4ddaa0c2da8afc33ffd77a0cc0b805f2c048d5d5bd0361bb4
Opcode Fuzzy Hash: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction Fuzzy Hash: 82F0F475A50309FBDF00DFE4DD89AAEBBBCEB08614F504565E501E2191E774AA448A50

Function 00A5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A5D28C

Strings

X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction ID: 347d2718970737e2d56fb52caff8ad8fd72409345c49f9bf3566ceb7775e59ac
Opcode Fuzzy Hash: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction Fuzzy Hash: 7FD0CAB480112DEECBA0CBA0EC88DDEB3BCBB08306F100292F506A2000DB7096898F20

Function 00A2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ae1d8de887f9af6c63cc42d0b1aff3a5a8ea30e897983a1cfacfe6d47d98466f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A4021E71E002299FDF14CFADD9806ADFBF1EF48324F254169D919E7344D731AA418B94

Function 00A0CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A50C40
(>, xrefs: 00A0CF7F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: (>$Variable is not of type 'Object'.
API String ID: 0-1039529144
Opcode ID: 73d8d8c9aa3716d8e3f9d4faddaba3b55a6f155f62a04448a3d2c229e664c75c
Instruction ID: f9ad4a61b45dac28938f3ec9d4ba142203652b07f4180ddefe91cf6ba7e3a797
Opcode Fuzzy Hash: 73d8d8c9aa3716d8e3f9d4faddaba3b55a6f155f62a04448a3d2c229e664c75c
Instruction Fuzzy Hash: E932AA7090021CDBDF14DF90E991EEDB7B5BF05314F208259E806AB2D2DB35AE4ACB61

Function 00A768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A76918
FindClose.KERNEL32(00000000), ref: 00A76961

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction ID: 7d8dd749b2cdee99030c06fa98fed89ee74d4d463beaf497ee4df6d4f3b5ac28
Opcode Fuzzy Hash: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction Fuzzy Hash: 501190716046019FC710DF69D884B16BBE5FF85328F14C6A9E5698F6A2CB30EC45CB91

Function 00A737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737F4

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction ID: c991a245bfd32c89a9b6ecf0b11cf528df9a5edbeedf6910bde9d09a0c3a6431
Opcode Fuzzy Hash: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction Fuzzy Hash: 19F0E5B17042282AEB20A7A69D4DFEB7BAEEFC4771F004166F509D2281D9609945C6B0

Function 00A6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A6B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A6B270

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction ID: 22a3c702433179d98331e9469d7fedb767e5eb2e33b6bfba126c508635076559
Opcode Fuzzy Hash: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction Fuzzy Hash: F3F06D7090428DABDB05CFA0C805BEE7BB0FF04315F00800AF951A5192C77982019FA4

Function 00A610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 36e2958213bc56d35549199525a6dd4184d6d9db67e22439fa673ba633105e18
Instruction ID: 2503733a2e14bf1a104174b96e85aeaf9168eee7867e27c2abc26fd1fc2867b7
Opcode Fuzzy Hash: 36e2958213bc56d35549199525a6dd4184d6d9db67e22439fa673ba633105e18
Instruction Fuzzy Hash: 0FE04F32008640AEEB252B51FD05EB77BA9EB04320F14882EF5A5804B1DF626CE0DB10

Function 00A3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A36766,?,?,00000008,?,?,00A3FEFE,00000000), ref: 00A36998

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction ID: 72197074161b3fda627a2718e9ee361849ab5f6b6f50a4c121101b44659bb75b
Opcode Fuzzy Hash: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction Fuzzy Hash: 94B11771610609AFD719CF28C48AB657BB0FF49364F29C658F899CF2A2C735E991CB40

Function 00A1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A5851F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction ID: 709b777902c7062dfc75fc9365ed15f57095e3d2271b5b80eec599a5cdf6d0ac
Opcode Fuzzy Hash: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction Fuzzy Hash: C3127E75A10229DFDB14CF58C9806EEB7F5FF48310F14819AE849EB255EB349A85CBA0

Function 00A7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A7EABD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction ID: 3fffc177f0480c529af6dc68129b7a1ebb333f94d5d98d0f013e0820e37bc7f9
Opcode Fuzzy Hash: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction Fuzzy Hash: 43E01A312102049FC710EF59E904E9AB7E9AF987B0F00C456FD4AC7291DA70A8418BA1

Function 00A209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A203EE), ref: 00A209DA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction ID: b25d9550704e17ee3b78264013852b7410dcbc45927524f751f9c67a0e4a7471
Opcode Fuzzy Hash: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction Fuzzy Hash:

Function 00A2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A2798B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7e0900dcf94dfc432b0c39211e04a348e422927046d3c8accb176417e24a691d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2051657160D7355BDB38877CBA5ABBE23E99B02340F180539E982D7282CA15EFC1D352

Function 00A36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction ID: cf134811c8c2222e6372aceafef5df2de945b4b97fea2301750fbfe21172324f
Opcode Fuzzy Hash: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction Fuzzy Hash: D0321361D29F024DD7379638C82233AA649AFB73C5F15D727F81AB5DA6EB29C4C34200

Function 00A1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction ID: 407976d5d7f55fb1a2abea5409aa0057d8ff30271969e026d35de61db8e245dd
Opcode Fuzzy Hash: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction Fuzzy Hash: E1322732A003158FDF28CB69C4906BD7BB1FB45372F298166DC49DB699E234DD89DB80

Function 00A07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac29b0582854e13ef6f15d3a1f24f95f82202d2a0e0b2d6f438da9e33e850e1d
Instruction ID: 593bad9e3c634257f4afefd47939a7fa6ebe28779bc0c3d9c3d8a997b9063c61
Opcode Fuzzy Hash: ac29b0582854e13ef6f15d3a1f24f95f82202d2a0e0b2d6f438da9e33e850e1d
Instruction Fuzzy Hash: BF22BF74E04609DFDF14CFA4D981AAEB3F6FF44300F244629E816AB292EB35AD55CB50

Function 00A091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ccefae37291c60ac7640c5d33c02e5fec09c45bba5619407ebb2bf27dd33ce
Instruction ID: 3a333357dc28fc112ee46b2bdf72d9da77d10267e0f3ac6e344d81fb358570a2
Opcode Fuzzy Hash: a0ccefae37291c60ac7640c5d33c02e5fec09c45bba5619407ebb2bf27dd33ce
Instruction Fuzzy Hash: B502C5B5E00209EFDF04DF54D981AAEB7B5FF44340F118169E8169B2D1EB31AE61CB91

Function 00A39EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction ID: 5a5da4b337ced77232686a5e9b0691c50b80514c685e859b36787f6ac9bc2c99
Opcode Fuzzy Hash: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction Fuzzy Hash: D1B12321D2AF514DCB2396798831336F64CAFBB6D5F91D31BFC2678D62EB2286834140

Function 00A21C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9f63f09eed24a604170686eff54e0a245e1433b68c9a9ae7aff67c06088004f9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59146725080B34ADB2D473EA57447EFFE15AA23A131A07BED4F2CA1C5FE24D954D620

Function 00A21F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7e1e520df0ed3c38a0d789de0a25d670fdecc85d2b3dd7c26da806b825fed946
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 2B9153722090B359DB2D433D957453EFEE15A923A131A07BEE4F2CA1D5EE24C964E720

Function 00A219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c19ef142046ce809b5d94ee4eeb7d54e64f11c46b4b0399e15ef66394d47e176
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A59121722090B34ADB2D477EA57443EFFF15AA23A231A07BED4F2CA1C5FE2485549620

Function 00A27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction ID: 89cfa1fe507ba53a974280a90fd7f55e02b6e3b63650b5826a02fb4bf3129c6a
Opcode Fuzzy Hash: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction Fuzzy Hash: C661457120873996DF389B2CBAA6BBE23A5DF41750F20093AF843DB281DA15DF428355

Function 00A27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction ID: a8902d56ba2f3431143b4edeb6dd37adbcc52c4febd15d30e67f48633c04372a
Opcode Fuzzy Hash: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction Fuzzy Hash: 5A617A7560873957DE388B2C7951BBF2394EF42700F100979F843DB681DA16EF428B66

Function 00A21706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e3a08d14102ee5b3585d34d173e957329c33639147aa5ffaf699d363cdb04fbc
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F48174726090B349DB6D473E957443EFFE15AA23A131A07BDD4F2CB1C1EE24CA54E660

Function 00A72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction ID: df0c11b0af2253074080a84eb35774a917fc20208708876ddf2140d9bd33b1c0
Opcode Fuzzy Hash: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction Fuzzy Hash: B22193326216118BDB28CF79C82277A73E5A764310F19CA2EE4A7C37D0DE35A905CB90

Function 00A82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A82B30
DeleteObject.GDI32(00000000), ref: 00A82B43
DestroyWindow.USER32 ref: 00A82B52
GetDesktopWindow.USER32 ref: 00A82B6D
GetWindowRect.USER32(00000000), ref: 00A82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82CF8
GetClientRect.USER32(00000000,?), ref: 00A82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D80
GlobalLock.KERNEL32(00000000), ref: 00A82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D98
GlobalUnlock.KERNEL32(00000000), ref: 00A82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DA8
GlobalFree.KERNEL32(00000000), ref: 00A82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A9FC38,00000000), ref: 00A82DDB
GlobalFree.KERNEL32(00000000), ref: 00A82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A8303F

Strings

AutoIt v3, xrefs: 00A82CF2
, xrefs: 00A82FC5
DISPLAY, xrefs: 00A82EA2
static, xrefs: 00A82D3A, 00A82E91

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction ID: 5fcbaf6f130b5423063d975f4884514cba3f98dfac21368e2df761ca957571b3
Opcode Fuzzy Hash: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction Fuzzy Hash: 6B028075600208AFDB14DFA4DD89EAE7BB9FF48724F108159F915AB2A1DB70ED01CB60

Function 00A970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A9712F
GetSysColorBrush.USER32(0000000F), ref: 00A97160
GetSysColor.USER32(0000000F), ref: 00A9716C
SetBkColor.GDI32(?,000000FF), ref: 00A97186
SelectObject.GDI32(?,?), ref: 00A97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A971C0
GetSysColor.USER32(00000010), ref: 00A971C8
CreateSolidBrush.GDI32(00000000), ref: 00A971CF
FrameRect.USER32(?,?,00000000), ref: 00A971DE
DeleteObject.GDI32(00000000), ref: 00A971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A97230
FillRect.USER32(?,?,?), ref: 00A97262
GetWindowLongW.USER32(?,000000F0), ref: 00A97284

Part of subcall function 00A973E8: GetSysColor.USER32(00000012), ref: 00A97421
Part of subcall function 00A973E8: SetTextColor.GDI32(?,?), ref: 00A97425
Part of subcall function 00A973E8: GetSysColorBrush.USER32(0000000F), ref: 00A9743B
Part of subcall function 00A973E8: GetSysColor.USER32(0000000F), ref: 00A97446
Part of subcall function 00A973E8: GetSysColor.USER32(00000011), ref: 00A97463
Part of subcall function 00A973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
Part of subcall function 00A973E8: SelectObject.GDI32(?,00000000), ref: 00A97482
Part of subcall function 00A973E8: SetBkColor.GDI32(?,00000000), ref: 00A9748B
Part of subcall function 00A973E8: SelectObject.GDI32(?,?), ref: 00A97498
Part of subcall function 00A973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
Part of subcall function 00A973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
Part of subcall function 00A973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2bff2c76d8ac6499891177ba2779882414a82b79c02ad3f31f27b7b767778fa6
Instruction ID: 3f7f9339e4ef0f72ea0a67091e4994bf1b300b26e58dc3609c5159341ff447f3
Opcode Fuzzy Hash: 2bff2c76d8ac6499891177ba2779882414a82b79c02ad3f31f27b7b767778fa6
Instruction Fuzzy Hash: F1A17E72218701AFDB01DFA4DC48A6F7BE9FB49330F100B1AF962961E1DB71E9458B61

Function 00A18D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A18E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A56AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A56AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A56F43

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

SendMessageW.USER32(?,00001053), ref: 00A56F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A56F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FB7

Strings

0, xrefs: 00A56DCF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction ID: fc790788acd74d2b997266692333efe736b260d53be0b484b331011eae99bec2
Opcode Fuzzy Hash: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction Fuzzy Hash: 2912BE30601601EFDB25CF24C954BAAB7F1FB45312F94446AF885CB2A2CB35EC9ACB51

Function 00A82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A82900
GetClientRect.USER32(00000000,?), ref: 00A8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A82964
GetStockObject.GDI32(00000011), ref: 00A82974
SelectObject.GDI32(00000000,00000000), ref: 00A82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A82991
DeleteDC.GDI32(00000000), ref: 00A8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A82A77
GetStockObject.GDI32(00000011), ref: 00A82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A82A97

Strings

AutoIt v3, xrefs: 00A828F8
DISPLAY, xrefs: 00A8295A
static, xrefs: 00A8294F, 00A82A71
msctls_progress32, xrefs: 00A82A13

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction ID: 32f13957a632c7586e92548d0f8182c8c3cfd5bbeed83986cef9c83de6f2f6f6
Opcode Fuzzy Hash: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction Fuzzy Hash: 7FB16D71A00619BFEB14DFA8DD49FAE7BA9EB08710F004115FA15EB2D0DB70AD41CBA4

Function 00A74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74AED
GetDriveTypeW.KERNEL32(?,00A9CB68,?,\\.\,00A9CC08), ref: 00A74BCA
SetErrorMode.KERNEL32(00000000,00A9CB68,?,\\.\,00A9CC08), ref: 00A74D36

Strings

FileBackedVirtual, xrefs: 00A74CEC
SSA, xrefs: 00A74CA6
PhysicalDrive, xrefs: 00A74B76
RAID, xrefs: 00A74CBB
\\.\, xrefs: 00A74B3F
SAS, xrefs: 00A74CC9
Virtual, xrefs: 00A74CE5
SATA, xrefs: 00A74CD0
ATAPI, xrefs: 00A74C91
SCSI, xrefs: 00A74C8A
1394, xrefs: 00A74C9F
SSD, xrefs: 00A74C4A
Removable, xrefs: 00A74C10, 00A74C15
CDROM, xrefs: 00A74BFB
Fixed, xrefs: 00A74C09
RAMDisk, xrefs: 00A74BF4
MMC, xrefs: 00A74CDE
USB, xrefs: 00A74CB4
iSCSI, xrefs: 00A74CC2
Unknown, xrefs: 00A74BED, 00A74C83
Network, xrefs: 00A74C02
ATA, xrefs: 00A74C98
Fibre, xrefs: 00A74CAD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction ID: 640e08b8a936a4e0a1e89b603b7c5eb8bc3ac1867f1fc095471360616e17db5c
Opcode Fuzzy Hash: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction Fuzzy Hash: 80618F31705509ABCB16DF28CE82E6977B0BF4C344B25C419F80AAB692DB35ED41DB51

Function 00A973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A97421
SetTextColor.GDI32(?,?), ref: 00A97425
GetSysColorBrush.USER32(0000000F), ref: 00A9743B
GetSysColor.USER32(0000000F), ref: 00A97446
CreateSolidBrush.GDI32(?), ref: 00A9744B
GetSysColor.USER32(00000011), ref: 00A97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
SelectObject.GDI32(?,00000000), ref: 00A97482
SetBkColor.GDI32(?,00000000), ref: 00A9748B
SelectObject.GDI32(?,?), ref: 00A97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A97572
DrawFocusRect.USER32(?,?), ref: 00A9757D
GetSysColor.USER32(00000011), ref: 00A9758E
SetTextColor.GDI32(?,00000000), ref: 00A97596
DrawTextW.USER32(?,00A970F5,000000FF,?,00000000), ref: 00A975A8
SelectObject.GDI32(?,?), ref: 00A975BF
DeleteObject.GDI32(?), ref: 00A975CA
SelectObject.GDI32(?,?), ref: 00A975D0
DeleteObject.GDI32(?), ref: 00A975D5
SetTextColor.GDI32(?,?), ref: 00A975DB
SetBkColor.GDI32(?,?), ref: 00A975E5

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f80d4a8d05e6281f554ff6baf04d00cb36c80e932dd6ff0ac2f6d70133c1c34a
Instruction ID: af83de6b4bdddf7b1da171778d7ef182b1d95fc76f0caf9a5cfdf70d2c48096d
Opcode Fuzzy Hash: f80d4a8d05e6281f554ff6baf04d00cb36c80e932dd6ff0ac2f6d70133c1c34a
Instruction Fuzzy Hash: 9F615F76A00618AFDF01DFA4DC49EEE7FB9EB08330F114116F915AB2A1DB749941CBA0

Function 00A90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A91128
GetDesktopWindow.USER32 ref: 00A9113D
GetWindowRect.USER32(00000000), ref: 00A91144
GetWindowLongW.USER32(?,000000F0), ref: 00A91199
DestroyWindow.USER32(?), ref: 00A911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A91245
IsWindowVisible.USER32(00000000), ref: 00A912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A912D0
GetWindowRect.USER32(00000000,?), ref: 00A912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A91328
CopyRect.USER32(?,?), ref: 00A9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A913AA

Strings

0, xrefs: 00A910D3
(, xrefs: 00A9131B
tooltips_class32, xrefs: 00A911E6

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction ID: 3ec1c52be4f062f1a1a76b95e4f386659a67a63c15eb61983e9c1d324747ea47
Opcode Fuzzy Hash: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction Fuzzy Hash: 4CB16B71604341AFDB00DF64D984B6BBBE4FF88354F00891DF99A9B2A1CB31E845CBA1

Function 00A18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A18968
GetSystemMetrics.USER32(00000007), ref: 00A18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A1899B
GetSystemMetrics.USER32(00000008), ref: 00A189A3
GetSystemMetrics.USER32(00000004), ref: 00A189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A18A5A
GetStockObject.GDI32(00000011), ref: 00A18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A18A81

Part of subcall function 00A1912D: GetCursorPos.USER32(?), ref: 00A19141
Part of subcall function 00A1912D: ScreenToClient.USER32(00000000,?), ref: 00A1915E
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000001), ref: 00A19183
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000002), ref: 00A1919D

SetTimer.USER32(00000000,00000000,00000028,00A190FC), ref: 00A18AA8

Strings

AutoIt v3 GUI, xrefs: 00A18A20

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 97db2f8ca0241402b78d5e44572eb841ae0a05ad0f853642abc0378bddb37e78
Instruction ID: 14241c0700f324783717bc43bacba3358e1944b3ced2026a4b50ea4f7ae18c76
Opcode Fuzzy Hash: 97db2f8ca0241402b78d5e44572eb841ae0a05ad0f853642abc0378bddb37e78
Instruction Fuzzy Hash: 60B17F71A40209AFDF14DFA8DD55BEE3BB5FB48315F11421AFA16A7290DB34E841CB50

Function 00A60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60E29
GetLengthSid.ADVAPI32(?), ref: 00A60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60E96
GetLengthSid.ADVAPI32(?), ref: 00A60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60EB5
HeapAlloc.KERNEL32(00000000), ref: 00A60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60EDD
CopySid.ADVAPI32(00000000), ref: 00A60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F6E
HeapFree.KERNEL32(00000000), ref: 00A60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F7E
HeapFree.KERNEL32(00000000), ref: 00A60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F8E
HeapFree.KERNEL32(00000000), ref: 00A60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60FA1
HeapFree.KERNEL32(00000000), ref: 00A60FA8

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction ID: 6f4b3f874f666e640ae1eb9ca54952497292983d18c029a1e9bc186b401210e0
Opcode Fuzzy Hash: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction Fuzzy Hash: 87716B72A0021AABDF21DFA4DD44FAFBBB8FF05311F144215FA19E6191DB319945CB60

Function 00A8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A9CC08,00000000,?,00000000,?,?), ref: 00A8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A8C5A4
_wcslen.LIBCMT ref: 00A8C5F4
_wcslen.LIBCMT ref: 00A8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A8C84D
RegCloseKey.ADVAPI32(?), ref: 00A8C881
RegCloseKey.ADVAPI32(00000000), ref: 00A8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A8C960

Strings

REG_EXPAND_SZ, xrefs: 00A8C5CD
REG_SZ, xrefs: 00A8C644
REG_MULTI_SZ, xrefs: 00A8C6F5
REG_BINARY, xrefs: 00A8C913
REG_QWORD, xrefs: 00A8C8C3
REG_DWORD, xrefs: 00A8C804

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 229a00441d72a551c142b0afb6a844a77b69a9ea289d0c7afe82c7d6f895d88b
Instruction ID: 41156fcd1c0639a7d5594eebe839888cfa596c031367d82f338b76d1d798b20a
Opcode Fuzzy Hash: 229a00441d72a551c142b0afb6a844a77b69a9ea289d0c7afe82c7d6f895d88b
Instruction Fuzzy Hash: 841258356042019FDB14EF14D991A2AB7E5EF88724F04889DF89A9B3A2DB31FD41CF91

Function 00A9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A909C6
_wcslen.LIBCMT ref: 00A90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A90A54
_wcslen.LIBCMT ref: 00A90A8A
_wcslen.LIBCMT ref: 00A90B06
_wcslen.LIBCMT ref: 00A90B81

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

Part of subcall function 00A62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A62BFA

Strings

GETSELECTED, xrefs: 00A90C4E
ISCHECKED, xrefs: 00A90CE1
COLLAPSE, xrefs: 00A90B01, 00A90B1C
SELECT, xrefs: 00A90D11
EXISTS, xrefs: 00A90B7C, 00A90B97
GETTEXT, xrefs: 00A90C97
GETITEMCOUNT, xrefs: 00A90C1E
CHECK, xrefs: 00A90A85, 00A90AA0
GETTOTALCOUNT, xrefs: 00A909F2, 00A90A17
EXPAND, xrefs: 00A90BF8
UNCHECK, xrefs: 00A90D3E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction ID: a3e3c5f6c445bc474ac77678cbd46397184c5ed9e8e7725c3757bb51b55aebfb
Opcode Fuzzy Hash: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction Fuzzy Hash: 5EE189362087019FCB14EF28C550D6EB7E1BF98394B15895CF8969B3A2DB30ED85CB81

Function 00A8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
_wcslen.LIBCMT ref: 00A8C9F1
_wcslen.LIBCMT ref: 00A8CA68
_wcslen.LIBCMT ref: 00A8CA9E
_wcslen.LIBCMT ref: 00A8CAF9
_wcslen.LIBCMT ref: 00A8CB2F
_wcslen.LIBCMT ref: 00A8CB7F

Strings

HKEY_USERS, xrefs: 00A8CBDF
HKCU, xrefs: 00A8CBCE
HKEY_CURRENT_CONFIG, xrefs: 00A8CB79, 00A8CB7E
HKLM, xrefs: 00A8CA98, 00A8CA9D
HKEY_LOCAL_MACHINE, xrefs: 00A8CA62, 00A8CA67
HKCR, xrefs: 00A8CB29, 00A8CB2E
HKEY_CURRENT_USER, xrefs: 00A8CBBD
HKCC, xrefs: 00A8CBAC
HKU, xrefs: 00A8CBF0
HKEY_CLASSES_ROOT, xrefs: 00A8CAF3, 00A8CAF8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction ID: 08b00c51d10d24fa96da096fbd39108c10e79e8722bbe412eeb690e236a19bc4
Opcode Fuzzy Hash: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction Fuzzy Hash: 7B71093260056A8BCB10FF7CDD41ABF73A2AB607B4B110529F8669B284E631CD45CBB0

Function 00A9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A9835A
_wcslen.LIBCMT ref: 00A9836E
_wcslen.LIBCMT ref: 00A98391
_wcslen.LIBCMT ref: 00A983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A9361A,?), ref: 00A9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98501
FreeLibrary.KERNEL32(?), ref: 00A9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9851D
DestroyIcon.USER32(?), ref: 00A9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A98555

Strings

.dll, xrefs: 00A983AB
.exe, xrefs: 00A98388
.icl, xrefs: 00A98368

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction ID: f11b7503d270f6273388500681dff064d031e796407b5ada5c90b0034aa75695
Opcode Fuzzy Hash: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction Fuzzy Hash: 1F61DF71640619BBEF14DF64DC81BBE77A8BF09B21F10461AF815D60D1DF78A980CBA0

Function 00A07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00A45153
', xrefs: 00A45169
#OnAutoItStartRegister, xrefs: 00A07817
#cs, xrefs: 00A07873, 00A078C5
#requireadmin, xrefs: 00A077FF
#notrayicon, xrefs: 00A077E7
#pragma compile, xrefs: 00A077D3
#include, xrefs: 00A07847
#comments-end, xrefs: 00A078D9
#include-once, xrefs: 00A0782F
#ce, xrefs: 00A078ED
Cannot parse #include, xrefs: 00A45279
Bad directive syntax error, xrefs: 00A4519A
#comments-start, xrefs: 00A0785F, 00A078B1
Unterminated group of comments, xrefs: 00A4528C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 4f94b7032d21b1a2bdcdf70dfbdec0345a5c38920ae78834fce802d9d6416d3d
Instruction ID: 62cfdfa419cf513a3e83cec80ab21a4ec8e4418b9ace0cdeee3524dbdb54f84a
Opcode Fuzzy Hash: 4f94b7032d21b1a2bdcdf70dfbdec0345a5c38920ae78834fce802d9d6416d3d
Instruction Fuzzy Hash: 3081D171F04609BFDB20AF64ED42FAE37A8AF95340F044425F905AA1D2EB74EA51C7A1

Function 00A73E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A73EF8
_wcslen.LIBCMT ref: 00A73F03
_wcslen.LIBCMT ref: 00A73F5A
_wcslen.LIBCMT ref: 00A73F98
GetDriveTypeW.KERNEL32(?), ref: 00A73FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74087

Strings

set cd door , xrefs: 00A74028
open, xrefs: 00A73F54, 00A73F59
type cdaudio alias cd wait, xrefs: 00A74001
close, xrefs: 00A73EFE, 00A73F18
close cd wait, xrefs: 00A74072
wait, xrefs: 00A74044
closed, xrefs: 00A73F08, 00A73F2D, 00A73F46, 00A73F7E, 00A73F97
open , xrefs: 00A73FE5

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction ID: 97b13fba0d6a6173e603dfc3648fa080196b8c54a74b8fae1a82bdd932055075
Opcode Fuzzy Hash: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction Fuzzy Hash: 1E71D072A042159FC710EF24CD8096AB7F4EF98758F01C92DF59A97291EB30ED46CB92

Function 00A65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A65A40
SetWindowTextW.USER32(?,?), ref: 00A65A57
GetDlgItem.USER32(?,000003EA), ref: 00A65A6C
SetWindowTextW.USER32(00000000,?), ref: 00A65A72
GetDlgItem.USER32(?,000003E9), ref: 00A65A82
SetWindowTextW.USER32(00000000,?), ref: 00A65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A65AC3
GetWindowRect.USER32(?,?), ref: 00A65ACC
_wcslen.LIBCMT ref: 00A65B33
SetWindowTextW.USER32(?,?), ref: 00A65B6F
GetDesktopWindow.USER32 ref: 00A65B75
GetWindowRect.USER32(00000000), ref: 00A65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A65BD3
GetClientRect.USER32(?,?), ref: 00A65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A65C2F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction ID: 126737e26e0ee25a87fbae65e8606e568a7b8d32559452c43db8f17bb7508738
Opcode Fuzzy Hash: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction Fuzzy Hash: 10716E31A00B09AFDB20DFB8CE85A6EBBF5FF48714F104519E542A25A0DB75E945CB50

Function 00A7FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A7FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A7FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A7FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A7FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A7FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A7FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A7FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A7FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A7FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A7FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A7FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A7FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A7FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A7FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A7FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A7FECC
GetCursorInfo.USER32(?), ref: 00A7FEDC
GetLastError.KERNEL32 ref: 00A7FF1E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction ID: f90d3a034d5d60ae6d5320b225ffb9207412475e8e80548609d30f3ff8c70a0c
Opcode Fuzzy Hash: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction Fuzzy Hash: FF4124B0D083196EDB10DFBA9C8585EBFE8FF04764B50852AE11DEB281DB789901CE91

Function 00A200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A200C6

Part of subcall function 00A200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00AD070C,00000FA0,6E5DD1AB,?,?,?,?,00A423B3,000000FF), ref: 00A2011C
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20127
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20138
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A2014E
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A2015C
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A2016A
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A20195
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A201A0

___scrt_fastfail.LIBCMT ref: 00A200E7

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

Strings

WakeAllConditionVariable, xrefs: 00A20162
SleepConditionVariableCS, xrefs: 00A20154
InitializeConditionVariable, xrefs: 00A20148
kernel32.dll, xrefs: 00A20133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A20122

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction ID: e21eabcb038a89163e7badacffc25e8e5eadc6cbe580f83b608d845f873de5ab
Opcode Fuzzy Hash: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction Fuzzy Hash: 0121D732745B207FEB109BB8BC06F6A73E4FB05B61F100637F806E6692DE6498008A94

Function 00A630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6318D
_wcslen.LIBCMT ref: 00A631F8

Strings

CLASS, xrefs: 00A63188, 00A631A5
TEXT, xrefs: 00A6347C
REGEXPCLASS, xrefs: 00A63255, 00A63266
NAME, xrefs: 00A63335, 00A63346
INSTANCE, xrefs: 00A63453
CLASSNN, xrefs: 00A631F3, 00A63204

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction ID: fb5b08b1d7123f28d83cd4c7a27cdd863cde679669d52d4ae61b0b02df083d24
Opcode Fuzzy Hash: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction Fuzzy Hash: C8E1A333E00526ABCF149F78C851BEEFBB4BF54710F558129E556A7240EF30AE868790

Function 00A744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A9CC08), ref: 00A74527
_wcslen.LIBCMT ref: 00A7453B
_wcslen.LIBCMT ref: 00A74599
_wcslen.LIBCMT ref: 00A745F4
_wcslen.LIBCMT ref: 00A7463F
_wcslen.LIBCMT ref: 00A746A7

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

GetDriveTypeW.KERNEL32(?,00AC6BF0,00000061), ref: 00A74743

Strings

removable, xrefs: 00A745EA, 00A745EF
fixed, xrefs: 00A74635, 00A7463A
network, xrefs: 00A7469D, 00A746A2
all, xrefs: 00A74531, 00A74536
cdrom, xrefs: 00A7458F, 00A74594
ramdisk, xrefs: 00A746F1
unknown, xrefs: 00A74708

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction ID: 7e7e60bb8e244bc2eaf9e351a07a2bb1f9274323bce96b2ef6dd5a8ad661738b
Opcode Fuzzy Hash: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction Fuzzy Hash: A0B1D0716083029FC714DF28DD90A6AB7E5AFA9760F50CA2DF49AC7291D730DD44CB92

Function 00A9911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DragQueryPoint.SHELL32(?,?), ref: 00A99147

Part of subcall function 00A97674: ClientToScreen.USER32(?,?), ref: 00A9769A
Part of subcall function 00A97674: GetWindowRect.USER32(?,?), ref: 00A97710
Part of subcall function 00A97674: PtInRect.USER32(?,?,00A98B89), ref: 00A97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99277
DragFinish.SHELL32(?), ref: 00A9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A99371

Strings

@GUI_DRAGID, xrefs: 00A992E9
(>, xrefs: 00A992BB
@GUI_DRAGFILE, xrefs: 00A99320
@GUI_DROPID, xrefs: 00A9929E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: (>$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-591034327
Opcode ID: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction ID: b7871a032a43a9a6b6968603f4d6094c2b930c4e65cfa36d91ce228d6774549e
Opcode Fuzzy Hash: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction Fuzzy Hash: 12618A71208305AFD701DFA4DD85DAFBBE8FF89750F00091EF596961A1DB309A49CB62

Function 00A83FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A9CC08), ref: 00A840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00A9CC08), ref: 00A840F2
FreeLibrary.KERNEL32(00000000,?,00A9CC08), ref: 00A8413E
StringFromGUID2.OLE32(?,?,00000028,?,00A9CC08), ref: 00A841A8
SysFreeString.OLEAUT32(00000009), ref: 00A84262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A842C8
SysFreeString.OLEAUT32(?), ref: 00A842F2

Strings

kernel32.dll, xrefs: 00A840B6
GetModuleHandleExW, xrefs: 00A840C7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 479e983445c09ad7b7bfc60ea5138397593898fe656fa687be676386eadca6ea
Instruction ID: b9097bcb2430dce99e594a6c22394b266ba3576be19434e8c17e13275d7ac6ce
Opcode Fuzzy Hash: 479e983445c09ad7b7bfc60ea5138397593898fe656fa687be676386eadca6ea
Instruction Fuzzy Hash: F1123D75A0021AEFDB14EF94C884EAEBBB5FF49314F248099F9059B251D731ED46CBA0

Function 00A0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00AD1990), ref: 00A42F8D
GetMenuItemCount.USER32(00AD1990), ref: 00A4303D
GetCursorPos.USER32(?), ref: 00A43081
SetForegroundWindow.USER32(00000000), ref: 00A4308A
TrackPopupMenuEx.USER32(00AD1990,00000000,?,00000000,00000000,00000000), ref: 00A4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A430A9

Strings

0, xrefs: 00A0327D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction ID: cf8555d2fb521d243bb54a87ede5f810da84b5be15942a00a5dda8fe178d8bb5
Opcode Fuzzy Hash: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction Fuzzy Hash: 6171F535640209BEEB21CF64DC49FAABF78FF45364F204216F625AA1E0C7B1A964CB50

Function 00A96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A96DEB

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96E94
DestroyWindow.USER32(?), ref: 00A96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A00000,00000000), ref: 00A96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96EFD
GetDesktopWindow.USER32 ref: 00A96F16
GetWindowRect.USER32(00000000), ref: 00A96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A96F4D

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Strings

0, xrefs: 00A96D98
tooltips_class32, xrefs: 00A96E58, 00A96EDD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction ID: 02cf44a45186eb80375c038aa394c3f3e3cfb80463f5222ab1936a24359f8964
Opcode Fuzzy Hash: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction Fuzzy Hash: 72715674604244AFDB21CF68D954FBABBE9FF89314F44081EF989872A1DB74A906CB11

Function 00A7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C5F0
InternetCloseHandle.WININET(00000000), ref: 00A7C5FB

Strings

, xrefs: 00A7C575

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction ID: 7c3cb4c23895b77348e46a12daf9f7dea79ed77f717e69f1bb325edab3feb819
Opcode Fuzzy Hash: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction Fuzzy Hash: E5512BB1640604BFDB21DFA4CD88AAB7BBCFB08764F00C51EF94A96250DB35E9459B60

Function 00A9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A98592
GetFileSize.KERNEL32(00000000,00000000), ref: 00A985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A985AD
CloseHandle.KERNEL32(00000000), ref: 00A985BA
GlobalLock.KERNEL32(00000000), ref: 00A985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A985D7
GlobalUnlock.KERNEL32(00000000), ref: 00A985E0
CloseHandle.KERNEL32(00000000), ref: 00A985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A9FC38,?), ref: 00A98611
GlobalFree.KERNEL32(00000000), ref: 00A98621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00A98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A98671
DeleteObject.GDI32(00000000), ref: 00A98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A986AF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction ID: a4119cd520b732fc07e49e8cc16e0213d8ac4b1230fa4ff903c0e6efad490c43
Opcode Fuzzy Hash: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction Fuzzy Hash: 6E411975700604AFDB11DFA5DD48EAA7BBCFF89721F108159F905EB260DB349902CB60

Function 00A714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A71502
VariantCopy.OLEAUT32(?,?), ref: 00A7150B
VariantClear.OLEAUT32(?), ref: 00A71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A71657
VariantInit.OLEAUT32(?), ref: 00A71708
SysFreeString.OLEAUT32(?), ref: 00A7178C
VariantClear.OLEAUT32(?), ref: 00A717D8
VariantClear.OLEAUT32(?), ref: 00A717E7
VariantInit.OLEAUT32(00000000), ref: 00A71823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A71625
Default, xrefs: 00A716AF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ac966484d01c8f635134f7acbf5c9365db3b4d98dd4b74c8513b8a68af94dad2
Instruction ID: 0351fb896dd781fb6d3e1f2a76c3d057fb773244402461cea81e1b7d3f892b0e
Opcode Fuzzy Hash: ac966484d01c8f635134f7acbf5c9365db3b4d98dd4b74c8513b8a68af94dad2
Instruction Fuzzy Hash: C0D1DD72A00615EBDF189F69E985BB9B7F9BF44704F14C05AE40AAB180DB30EC45DB62

Function 00A8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A8B80A
RegCloseKey.ADVAPI32(?), ref: 00A8B87E
RegCloseKey.ADVAPI32(?), ref: 00A8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8B922
FreeLibrary.KERNEL32(00000000), ref: 00A8B983
RegCloseKey.ADVAPI32(00000000), ref: 00A8B994

Strings

RegDeleteKeyExW, xrefs: 00A8B8FE
advapi32.dll, xrefs: 00A8B8ED

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction ID: d63a972558fed6909e8bf41c9fba7855d8b9dd7b04c1121be5a5b8f8e0c47097
Opcode Fuzzy Hash: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction Fuzzy Hash: 4CC17E30214201AFD714EF24C495F2ABBE5BF84318F14855CF59A4B2A2CB75ED46CBA2

Function 00A8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A825E8
CreateCompatibleDC.GDI32(?), ref: 00A825F4
SelectObject.GDI32(00000000,?), ref: 00A82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A826D0
SelectObject.GDI32(?,?), ref: 00A826D8
DeleteObject.GDI32(?), ref: 00A826E1
DeleteDC.GDI32(?), ref: 00A826E8
ReleaseDC.USER32(00000000,?), ref: 00A826F3

Strings

(, xrefs: 00A8268D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 07e8abd26795f948af051bd11782972671fee08ce502a6d25671c851fee8d741
Instruction ID: 1e1306cfc9693be822b026aa17600b9b0bd9b3bd5a82e55462cf30454a1187db
Opcode Fuzzy Hash: 07e8abd26795f948af051bd11782972671fee08ce502a6d25671c851fee8d741
Instruction Fuzzy Hash: AD61F375E00219EFCF14DFE8D984AAEBBB5FF48310F20852AE955A7250E770A941CF64

Function 00A3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A3DAA1

Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D659
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D66B
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D67D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D68F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6A1
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6B3
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6C5
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6D7
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6E9
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6FB
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D70D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D71F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D731

_free.LIBCMT ref: 00A3DA96

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3DAB8
_free.LIBCMT ref: 00A3DACD
_free.LIBCMT ref: 00A3DAD8
_free.LIBCMT ref: 00A3DAFA
_free.LIBCMT ref: 00A3DB0D
_free.LIBCMT ref: 00A3DB1B
_free.LIBCMT ref: 00A3DB26
_free.LIBCMT ref: 00A3DB5E
_free.LIBCMT ref: 00A3DB65
_free.LIBCMT ref: 00A3DB82
_free.LIBCMT ref: 00A3DB9A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction ID: 5a6f6b3f117df63b7113a7ead8bf854b9a67a749510ccf9038109eb62c73cb87
Opcode Fuzzy Hash: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction Fuzzy Hash: DF312732A04705DFEB22AF39FA45B5AB7E9FF40360F154469F459DB191DB31AC808B20

Function 00A6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A6369C
_wcslen.LIBCMT ref: 00A636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A63797
GetClassNameW.USER32(?,?,00000400), ref: 00A6380C
GetDlgCtrlID.USER32(?), ref: 00A6385D
GetWindowRect.USER32(?,?), ref: 00A63882
GetParent.USER32(?), ref: 00A638A0
ScreenToClient.USER32(00000000), ref: 00A638A7
GetClassNameW.USER32(?,?,00000100), ref: 00A63921
GetWindowTextW.USER32(?,?,00000400), ref: 00A6395D

Strings

%s%u, xrefs: 00A63734

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 0dbe0b79d7e4196d8ab553bb497eac9d7c3fd4e1e68ce7fe8b333a4f092f1efc
Instruction ID: be1fe28d35fc2dbdb7ff8ec8423c5fdd3129afdfe577a07ce30eed5c424c204e
Opcode Fuzzy Hash: 0dbe0b79d7e4196d8ab553bb497eac9d7c3fd4e1e68ce7fe8b333a4f092f1efc
Instruction Fuzzy Hash: 0991B172204706AFDB19DF64C895BEAB7B8FF44350F008529F99AC6190DB30EA46CB91

Function 00A64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A64994
GetWindowTextW.USER32(?,?,00000400), ref: 00A649DA
_wcslen.LIBCMT ref: 00A649EB
CharUpperBuffW.USER32(?,00000000), ref: 00A649F7
_wcsstr.LIBVCRUNTIME ref: 00A64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A64B20
GetWindowRect.USER32(?,?), ref: 00A64B8B

Strings

ThumbnailClass, xrefs: 00A64A6F, 00A64AF1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 13d6cfa761ad8c73ee10433c2f0dd37cb9ca7a18a532e21160e6907900f57342
Instruction ID: c75509d0ea4448aaa1a4badbe9d65717f99de2f5434cb4c5b7da586de3b3ea3b
Opcode Fuzzy Hash: 13d6cfa761ad8c73ee10433c2f0dd37cb9ca7a18a532e21160e6907900f57342
Instruction Fuzzy Hash: 1991EE72104205AFDB04CF54C981BAA7BF8FF88354F04846AFE859A196DB30ED45CBA1

Function 00A6BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00AD1990,000000FF,00000000,00000030), ref: 00A6BFAC
SetMenuItemInfoW.USER32(00AD1990,00000004,00000000,00000030), ref: 00A6BFE1
Sleep.KERNEL32(000001F4), ref: 00A6BFF3
GetMenuItemCount.USER32(?), ref: 00A6C039
GetMenuItemID.USER32(?,00000000), ref: 00A6C056
GetMenuItemID.USER32(?,-00000001), ref: 00A6C082
GetMenuItemID.USER32(?,?), ref: 00A6C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A6C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A6C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A6C145

Strings

0, xrefs: 00A6BF3D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f889f8fe3d99fe9ca1a1c0686f1e6625e2c6bebf0c9244bbc1f3a43afe17c537
Instruction ID: 9241830487508c5fca01d6abf06457892343842d8c6015e4f33941adb9abfd29
Opcode Fuzzy Hash: f889f8fe3d99fe9ca1a1c0686f1e6625e2c6bebf0c9244bbc1f3a43afe17c537
Instruction Fuzzy Hash: 0D61B3B0A0024AAFDF11CFA4CD88AFE7BB8EB05364F404116F991A3291CB35AD45CB60

Function 00A8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD48

Part of subcall function 00A8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A8CCAA
Part of subcall function 00A8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A8CCBD
Part of subcall function 00A8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8CCCF
Part of subcall function 00A8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD05
Part of subcall function 00A8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8CCF3

Strings

RegDeleteKeyExW, xrefs: 00A8CCC9
advapi32.dll, xrefs: 00A8CCB8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction ID: 99bd824d0e0e7e3a3be4223593a06c78f13877c76b2c76a82845e65774a46ab7
Opcode Fuzzy Hash: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction Fuzzy Hash: 803160B1A01129BBDB20EB95DC88EFFBB7CEF45760F000166A905E3150DA749A46DFB0

Function 00A73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A73D40
_wcslen.LIBCMT ref: 00A73D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A73D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A73DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A73DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A73E55
CloseHandle.KERNEL32(00000000), ref: 00A73E60
CloseHandle.KERNEL32(00000000), ref: 00A73E6B

Strings

:, xrefs: 00A73D82
\, xrefs: 00A73D77
\??\%s, xrefs: 00A73D5B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction ID: 495915dd1e2d4a695d0d59a57a969e6c9c5ebaacde8238dabd5bfbf1b90a9d08
Opcode Fuzzy Hash: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction Fuzzy Hash: E031AF72A00219ABDF20DBA4DC49FEB37BCEF88710F1181B6F509D6061EB7097858B24

Function 00A6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A6E6B4

Part of subcall function 00A1E551: timeGetTime.WINMM(?,?,00A6E6D4), ref: 00A1E555

Sleep.KERNEL32(0000000A), ref: 00A6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A6E727
SetActiveWindow.USER32 ref: 00A6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A6E773
Sleep.KERNEL32(000000FA), ref: 00A6E77E
IsWindow.USER32 ref: 00A6E78A
EndDialog.USER32(00000000), ref: 00A6E79B

Strings

BUTTON, xrefs: 00A6E719

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction ID: d20f40dbfbbb0a2f99c876a8c98ad2a722e1a7828491fcf6d97b1ae7d8384ef2
Opcode Fuzzy Hash: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction Fuzzy Hash: 19218CB9341704BFEB01DFE4EC89B263B79FB64758B101826F912821A1DF71AC16DB24

Function 00A6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A6EAA7

Strings

play PlayMe wait, xrefs: 00A6EA91
status PlayMe mode, xrefs: 00A6EA58
alias PlayMe, xrefs: 00A6EA36
play PlayMe, xrefs: 00A6EAA2
close PlayMe, xrefs: 00A6EA6E, 00A6EA9B
open , xrefs: 00A6EA0C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction ID: 25407dd89247ddf614e14d7fc89b06a086a35bf1e85877def5e1890f89f75c2b
Opcode Fuzzy Hash: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction Fuzzy Hash: C111A335A5021D79D720E7A5ED4AEFF6A7CFFD1B40F0008297401A20D1EE700905C6B1

Function 00A69F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A6A012
SetKeyboardState.USER32(?), ref: 00A6A07D
GetAsyncKeyState.USER32(000000A0), ref: 00A6A09D
GetKeyState.USER32(000000A0), ref: 00A6A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00A6A0E3
GetKeyState.USER32(000000A1), ref: 00A6A0F4
GetAsyncKeyState.USER32(00000011), ref: 00A6A120
GetKeyState.USER32(00000011), ref: 00A6A12E
GetAsyncKeyState.USER32(00000012), ref: 00A6A157
GetKeyState.USER32(00000012), ref: 00A6A165
GetAsyncKeyState.USER32(0000005B), ref: 00A6A18E
GetKeyState.USER32(0000005B), ref: 00A6A19C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 979e907bfcccb5838d2250b9a657059496c3ebae7a48baf91b57433c3f292b0a
Instruction ID: 327eb2e5d6bfa330604bb4215fac8a5d141c4cc6875a1cca5e91d27313d0acf7
Opcode Fuzzy Hash: 979e907bfcccb5838d2250b9a657059496c3ebae7a48baf91b57433c3f292b0a
Instruction Fuzzy Hash: 6C51BB7060478429FB35DBB085117EBBFF59F23340F098599D5C2671C2DA64AE8CCB62

Function 00A65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A65CE2
GetWindowRect.USER32(00000000,?), ref: 00A65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A65D59
GetDlgItem.USER32(?,00000002), ref: 00A65D69
GetWindowRect.USER32(00000000,?), ref: 00A65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A65DCF
GetDlgItem.USER32(?,000003E9), ref: 00A65DDD
GetWindowRect.USER32(00000000,?), ref: 00A65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A65E31
GetDlgItem.USER32(?,000003EA), ref: 00A65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A65E67

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction ID: e77a8d21533aeec2de8947995a9c67e67c40b4ee5919fc598e588f8595ba1ae8
Opcode Fuzzy Hash: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction Fuzzy Hash: 08510C71F00605AFDF18CFA8DD89AAEBBB5EF48310F548129F515E6290DB709E01CB60

Function 00A18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

DestroyWindow.USER32(?), ref: 00A18C81
KillTimer.USER32(00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000), ref: 00A569D4
DeleteObject.GDI32(00000000), ref: 00A569E6

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction ID: 67317e849d28b787b8689e03df10be71bfbc3dc56eb7ec4c982b93d51d3d015a
Opcode Fuzzy Hash: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction Fuzzy Hash: AC618D30602700EFCB25DFA8DA58BA977F1FB40352F54451AE4439B960CB39A9C6DF90

Function 00A19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetSysColor.USER32(0000000F), ref: 00A19862

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction ID: 850d859686d8e40cbd3b9645b0e65c3963c4a677ca90d8e61e6dc730346bf2ce
Opcode Fuzzy Hash: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction Fuzzy Hash: 4641A531204640AFDB209F7C9C94BFA3BA5FB06771F244616F9A29B1E1DB319C82DB11

Function 00A73388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A733CF

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A733F0

Strings

^ ERROR , xrefs: 00A7349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00A73504
"%s" (%d) : ==> %s:, xrefs: 00A73522
Error: , xrefs: 00A734D1
Incorrect parameters to object property !, xrefs: 00A734AB
Line %d (File "%s"):, xrefs: 00A73443, 00A7345C
G(>, xrefs: 00A73388

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$G(>$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-1792434128
Opcode ID: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction ID: 5731148694e8311748f712b4fcca57f84ee17e47eb6bde5e0a4cfdefcfd9d6c6
Opcode Fuzzy Hash: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction Fuzzy Hash: 77518C72900209BADF18EBE0DE46EEEB778AF04340F108465F509760A2EB312F58DB61

Function 00A696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A69717
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69720

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A69742
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A69866

Strings

Line %d:, xrefs: 00A697A0
%s (%d) : ==> %s: %s %s, xrefs: 00A6984A
Error: , xrefs: 00A6981D
Line %d (File "%s"):, xrefs: 00A6978F
^ ERROR, xrefs: 00A697FB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction ID: 3124b6f19e0d8515ea06305f75044e108b9e8372e9e5992102084a9ee42e51a2
Opcode Fuzzy Hash: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction Fuzzy Hash: 2A41197290020DAADF04EBE0EF86EEFB77CAF55340F500465B60576092EA356F49CB61

Function 00A606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A6083C

Strings

\IPC$, xrefs: 00A60784
\CLSID, xrefs: 00A60724
SOFTWARE\Classes\, xrefs: 00A6070E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction ID: 811b1a488e7ed0f62704bd9ba3890ace53dc28bb2074ae88df3eacbaa83c98af
Opcode Fuzzy Hash: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction Fuzzy Hash: B9410672D1062DABDF15EBA4ED85DEEB778BF14350F044169E901A71A1EB30AE44CBA0

Function 00A93F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A9403B
CreateCompatibleDC.GDI32(00000000), ref: 00A94042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A94055
SelectObject.GDI32(00000000,00000000), ref: 00A9405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A94068
DeleteDC.GDI32(00000000), ref: 00A94072
GetWindowLongW.USER32(?,000000EC), ref: 00A9407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00A94092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00A9409E

Strings

static, xrefs: 00A93FD3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7726ee6d19fe92c01378bd6d034661addb78c95f5fef35385053d14da79f7af8
Instruction ID: 56b83cba19b4391d0b2feaffb50152d0f1132b8494b3c63cee493f3473982515
Opcode Fuzzy Hash: 7726ee6d19fe92c01378bd6d034661addb78c95f5fef35385053d14da79f7af8
Instruction Fuzzy Hash: 28315C32601615BBDF219FA8DC49FDA3BA8EF0D324F110211FA15E61A0DB75D812DB64

Function 00A83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A83C5C
CoInitialize.OLE32(00000000), ref: 00A83C8A
CoUninitialize.OLE32 ref: 00A83C94
_wcslen.LIBCMT ref: 00A83D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A83DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A83ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A83F0E
CoGetObject.OLE32(?,00000000,00A9FB98,?), ref: 00A83F2D
SetErrorMode.KERNEL32(00000000), ref: 00A83F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A83FC4
VariantClear.OLEAUT32(?), ref: 00A83FD8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction ID: 1835ba6173d00249f1d459a11758abf3483f15a850ac1d9b2cbfdc222cbc3878
Opcode Fuzzy Hash: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction Fuzzy Hash: 1CC147726083059FDB00EF68C98492BBBE9FF89B44F10491DF98A9B251DB31ED45CB52

Function 00A77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A77BA3
CoCreateInstance.OLE32(00A9FD08,00000000,00000001,00AC6E6C,?), ref: 00A77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A77C74
CoTaskMemFree.OLE32(?,?), ref: 00A77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A77D7A
CoTaskMemFree.OLE32(00000000), ref: 00A77D81
CoTaskMemFree.OLE32(00000000), ref: 00A77DD6
CoUninitialize.OLE32 ref: 00A77DDC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 26bda90e0b1fc0a36f6214d0ca5bede2ef23f92f55e533f6088da51e5f5c5532
Instruction ID: 894ec5bd963e2006e661599cfd2ef875c3c6aaba0f20ef16d8d267d55d5470b3
Opcode Fuzzy Hash: 26bda90e0b1fc0a36f6214d0ca5bede2ef23f92f55e533f6088da51e5f5c5532
Instruction Fuzzy Hash: F6C10C75A04109AFDB14DFA4C984DAEBBF5FF48314B14C499E81ADB262DB30ED45CB90

Function 00A9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A95515
CharNextW.USER32(00000158), ref: 00A95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A955AC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction ID: 13024a49b1d710a05ca93e6470a98a841fdbd9ef793dd114968be1fbc144b51f
Opcode Fuzzy Hash: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction Fuzzy Hash: 0C618E35F00608AFDF12DFA4CC869FE7BF9EB45720F108145FA25AA291D7749A81DB60

Function 00A5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A5FB08
VariantInit.OLEAUT32(?), ref: 00A5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A5FBA1
VariantClear.OLEAUT32(?), ref: 00A5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBCC
VariantClear.OLEAUT32(?), ref: 00A5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBE9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3d30bb489e4356c9ec71b1b6f2c2ec60dfe5d25ad16721dc4664acc3632f1fd0
Instruction ID: 9fa0e0447b65d0e0604220a28da64d9201241e4b89c6b2e71b7c3989707069cb
Opcode Fuzzy Hash: 3d30bb489e4356c9ec71b1b6f2c2ec60dfe5d25ad16721dc4664acc3632f1fd0
Instruction Fuzzy Hash: 04416375B00219DFCF00DFA8D8589ADBBB9FF48355F018065F916A7261CB30A946CFA1

Function 00A69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A69CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A69D22
GetKeyState.USER32(000000A0), ref: 00A69D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A69D57
GetKeyState.USER32(000000A1), ref: 00A69D6C
GetAsyncKeyState.USER32(00000011), ref: 00A69D84
GetKeyState.USER32(00000011), ref: 00A69D96
GetAsyncKeyState.USER32(00000012), ref: 00A69DAE
GetKeyState.USER32(00000012), ref: 00A69DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A69DD8
GetKeyState.USER32(0000005B), ref: 00A69DEA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction ID: f415de64eed881740db0a5a63f478825241c78c3ca4b22613fd14c1608f184be
Opcode Fuzzy Hash: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction Fuzzy Hash: 3141C834604BC9ADFF31D7A4C8043B7BEB8AF11354F04806ADAC6565C2DBB599D8C7A2

Function 00A8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A805BC
inet_addr.WSOCK32(?), ref: 00A8061C
gethostbyname.WSOCK32(?), ref: 00A80628
IcmpCreateFile.IPHLPAPI ref: 00A80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A807B9
WSACleanup.WSOCK32 ref: 00A807BF

Strings

Ping, xrefs: 00A80676

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7e95c134ff5a0939a5110f110e4679ebfad83f6c4f976f08957eed20ded4fcd6
Instruction ID: 41c4c9b1f84c5c4a3fce10f238f762e4566622e4b5619a7183ab682c66540f60
Opcode Fuzzy Hash: 7e95c134ff5a0939a5110f110e4679ebfad83f6c4f976f08957eed20ded4fcd6
Instruction Fuzzy Hash: A891BF356086419FD360EF15D988F1ABBE0AF44318F1485A9F46A8B7A2CB70FC49CF91

Function 00A88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A88CF3

Part of subcall function 00A68E54: _wcslen.LIBCMT ref: 00A68E77

_wcslen.LIBCMT ref: 00A88D4E
_wcslen.LIBCMT ref: 00A88D9C
_wcslen.LIBCMT ref: 00A88DDC
_wcslen.LIBCMT ref: 00A88E6E

Strings

stdcall, xrefs: 00A88DD6, 00A88DDB
cdecl, xrefs: 00A88D48, 00A88D4D
winapi, xrefs: 00A88D96, 00A88D9B
none, xrefs: 00A88E65, 00A88E6A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction ID: 8510f4c99b729652ffacc28e17cf02f91dbb279b30653a8426d81866853d99b3
Opcode Fuzzy Hash: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction Fuzzy Hash: 50519231A001169BCF14EF6CC9409BEB7B5BF64724BA14229E966E72C5DF39DD40C790

Function 00A8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A83774
CoUninitialize.OLE32 ref: 00A8377F
CoCreateInstance.OLE32(?,00000000,00000017,00A9FB78,?), ref: 00A837D9
IIDFromString.OLE32(?,?), ref: 00A8384C
VariantInit.OLEAUT32(?), ref: 00A838E4
VariantClear.OLEAUT32(?), ref: 00A83936

Strings

NULL Pointer assignment, xrefs: 00A8381E
Invalid parameter, xrefs: 00A83865
Failed to create object, xrefs: 00A837E4, 00A8389A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: be470792528afb3b85f47f0c089c44e6e3ef362a9b0ed989328f7026b2f26cac
Instruction ID: 7018fba300ab099831841fb79cd911c315c1f21d257f51268292860661f42b08
Opcode Fuzzy Hash: be470792528afb3b85f47f0c089c44e6e3ef362a9b0ed989328f7026b2f26cac
Instruction Fuzzy Hash: 7E61A072608701AFDB10EF54C948F6ABBE8EF49B10F004849F9859B291D770EE49CB92

Function 00A6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A6B5FC
_wcslen.LIBCMT ref: 00A6B608
_wcslen.LIBCMT ref: 00A6B64D
_wcslen.LIBCMT ref: 00A6B68C
_wcslen.LIBCMT ref: 00A6B6C7

Strings

APPEND, xrefs: 00A6B6C1, 00A6B6C6
EXISTS, xrefs: 00A6B686, 00A6B68B
REMOVE, xrefs: 00A6B602, 00A6B607
KEYS, xrefs: 00A6B647, 00A6B64C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction ID: a71f2486e9e38d11412c806ba035eb6320c4098aff64fb071baad5e7121924a7
Opcode Fuzzy Hash: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction Fuzzy Hash: BD41C636A211269BCB209F7DCD905BE77B5AFA0B54B254529E421DB284F731CDC1C7B0

Function 00A75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A75416
GetLastError.KERNEL32 ref: 00A75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A754A7

Strings

INVALID, xrefs: 00A75459
READONLY, xrefs: 00A75452
READY, xrefs: 00A75460, 00A75468
UNKNOWN, xrefs: 00A75444
NOTREADY, xrefs: 00A7544B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction ID: 30eb69f793a96c811293dd9b85b2dd492b0ffca5a6d45a01ede4981d58ea851e
Opcode Fuzzy Hash: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction Fuzzy Hash: 40319F35E005049FDB10DF68C984BAABBB5EF05315F14C06AE40ACB292DBB1ED86CB91

Function 00A93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A93C79
SetMenu.USER32(?,00000000), ref: 00A93C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93D10
IsMenu.USER32(?), ref: 00A93D24
CreatePopupMenu.USER32 ref: 00A93D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93D5B
DrawMenuBar.USER32 ref: 00A93D63

Strings

0, xrefs: 00A93C54
F, xrefs: 00A93D4E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction ID: 8e6ef96ca79e3842608761a78aba21ca8a193d88ba3ead7a37fbd9a54b7c8c19
Opcode Fuzzy Hash: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction Fuzzy Hash: 784157BAB01609AFDF14CFA4D894AAA7BF5FF49350F140429F946A7360D730AA11CF94

Function 00A61EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A61F64
GetDlgCtrlID.USER32 ref: 00A61F6F
GetParent.USER32 ref: 00A61F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61F8E
GetDlgCtrlID.USER32(?), ref: 00A61F97
GetParent.USER32(?), ref: 00A61FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61FAE

Strings

ComboBox, xrefs: 00A61EEC
ListBox, xrefs: 00A61F21

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction ID: c799f24c6a0a48f73369ba95be8ba411515dfb2cf352a2c2910b6e7953ee27e6
Opcode Fuzzy Hash: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction Fuzzy Hash: C121BE71E00218BBCF04EFA0DC85EEEBBB8EF15310F004116FA61A72E1DB3959199B60

Function 00A61FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00A62043
GetDlgCtrlID.USER32 ref: 00A6204E
GetParent.USER32 ref: 00A6206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6206D
GetDlgCtrlID.USER32(?), ref: 00A62076
GetParent.USER32(?), ref: 00A6208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6208D

Strings

ComboBox, xrefs: 00A61FCD
ListBox, xrefs: 00A62002

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6a3aee4facf86f4e7fe013eabfcfc73f9e55e4cee2a91fccaf8b6834e511e4cb
Instruction ID: cdeebe7874f5c7d86295539de7485a82b42d65c30a39bfd11317d497060f6034
Opcode Fuzzy Hash: 6a3aee4facf86f4e7fe013eabfcfc73f9e55e4cee2a91fccaf8b6834e511e4cb
Instruction Fuzzy Hash: 3321D1B5E00618BFDF10EFA0DC85EEEBBB8EF05310F005406FA51A72A1DA795919DB60

Function 00A93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A93C13

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction ID: ec772df00d336966dfdffb8a9349d81477c677343382ad101442030fc49babe4
Opcode Fuzzy Hash: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction Fuzzy Hash: 12615B75A00248AFDF10DFA8CD81EEE77F8EB09710F10419AFA15A7292D774AE46DB50

Function 00A6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A6B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B21D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction ID: d7c230950e2df76e89bcfe3f8f7ce4f546d3ec479de56a481b75a7c79687226d
Opcode Fuzzy Hash: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction Fuzzy Hash: D3319172610604BFDF10DFA4DC58BAE7BB9BB51321F108116FA06D61A0DBB49A828F71

Function 00A32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A32C94

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A32CA0
_free.LIBCMT ref: 00A32CAB
_free.LIBCMT ref: 00A32CB6
_free.LIBCMT ref: 00A32CC1
_free.LIBCMT ref: 00A32CCC
_free.LIBCMT ref: 00A32CD7
_free.LIBCMT ref: 00A32CE2
_free.LIBCMT ref: 00A32CED
_free.LIBCMT ref: 00A32CFB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction ID: f63dc1290b42930180499a3976290828c5e2d28d2da11c0e834d9bcfe3430fbf
Opcode Fuzzy Hash: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction Fuzzy Hash: E511C876100118BFCB02EF54EA82EDD7BA5FF45350F4144A5FA489F232DA31EE509B90

Function 00A77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A77FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A77FC1
GetFileAttributesW.KERNEL32(?), ref: 00A77FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A78005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A780B0

Strings

*.*, xrefs: 00A78066

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction ID: f031a54469ca3901bacdffb5334705ea7accf4969f27e5d4ea3528d952291511
Opcode Fuzzy Hash: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction Fuzzy Hash: E5818E725082059BDB20EF14CD449AEB3E8BF88714F54CC6EF889D7250EB75ED498B92

Function 00A05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A05C7A

Part of subcall function 00A05D0A: GetClientRect.USER32(?,?), ref: 00A05D30
Part of subcall function 00A05D0A: GetWindowRect.USER32(?,?), ref: 00A05D71
Part of subcall function 00A05D0A: ScreenToClient.USER32(?,?), ref: 00A05D99

GetDC.USER32 ref: 00A446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A44708
SelectObject.GDI32(00000000,00000000), ref: 00A44716
SelectObject.GDI32(00000000,00000000), ref: 00A4472B
ReleaseDC.USER32(?,00000000), ref: 00A44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A447C4

Strings

U, xrefs: 00A44693

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction ID: ce9e6a25329dfd95562b047e3a94f66e4d293d400e93ba0d6dc75c3ff4390a94
Opcode Fuzzy Hash: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction Fuzzy Hash: 6D71F239900209EFDF21CF64C984BBA7BB5FF8A361F14426AED565A1A6C7309C42DF50

Function 00A7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A735E4

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00AD2390,?,00000FFF,?), ref: 00A7360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00A73724
"%s" (%d) : ==> %s:, xrefs: 00A73742
Error: , xrefs: 00A736EF
Line %d (File "%s"):, xrefs: 00A7366B
^ ERROR, xrefs: 00A736C9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction ID: 00b9c13f7fb023a03847540edde7c6266948f02ceecb947ddcaff204aee5b1e7
Opcode Fuzzy Hash: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction Fuzzy Hash: 1A516F72D00209BADF14EBE0DE42EEEBB78AF14340F148125F105761A2DB311B99DF61

Function 00A7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C2CA
GetLastError.KERNEL32 ref: 00A7C322
SetEvent.KERNEL32(?), ref: 00A7C336
InternetCloseHandle.WININET(00000000), ref: 00A7C341

Strings

, xrefs: 00A7C2BB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction ID: 85c445c5130e58e5eed64a80c1e922d3d60c776f7bc82826926fbb07859fb2e6
Opcode Fuzzy Hash: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction Fuzzy Hash: E2317CB1600708AFD721DFA48D88AABBBFCEB49764F10C51EF44A97201DB34DD059B60

Function 00A6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A43AAF,?,?,Bad directive syntax error,00A9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A698BC
LoadStringW.USER32(00000000,?,00A43AAF,?), ref: 00A698C3

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A69987

Strings

Line %d:, xrefs: 00A69912
., xrefs: 00A6996D
%s (%d) : ==> %s.: %s %s, xrefs: 00A698F1
Line %d (File "%s"):, xrefs: 00A6992D
Error: , xrefs: 00A69955

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction ID: e9f130f58cf4b7144eb115845bfbc489f03dd62c2fb8fed6cd082cbf5391a036
Opcode Fuzzy Hash: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction Fuzzy Hash: A2217A3290021EBBCF15EF90DE46EEE7779BF18300F04486AF515660A2EB31AA58DB11

Function 00A6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A6214D

Strings

list, xrefs: 00A6212F
smallicons, xrefs: 00A62115
SHELLDLL_DefView, xrefs: 00A620CC
details, xrefs: 00A620FB
largeicons, xrefs: 00A620E1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction ID: 917c8d32b2ce013f17daa9ad6c27f2523eda794005726e48854c267f4a548332
Opcode Fuzzy Hash: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction Fuzzy Hash: 74110A7668CB16B9F601A334EC06FE677BCDB16764B21022AFB04A90D1FE616C425714

Function 00A38D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction ID: 460cc1d7360a4cddbea7e3bbe87664c50a6ceb60a2708565a4c5bd7a25c43d02
Opcode Fuzzy Hash: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction Fuzzy Hash: 0AC1D174A04349AFDF15DFECD841BAEBBB0AF0A310F1441A9F455A7392CB749942CB61

Function 00A3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A3CEB7
_free.LIBCMT ref: 00A3CF22
_free.LIBCMT ref: 00A3CF48
_free.LIBCMT ref: 00A3CF71
_free.LIBCMT ref: 00A3CFA9
_free.LIBCMT ref: 00A3CFDA
_free.LIBCMT ref: 00A3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A3D09C
_free.LIBCMT ref: 00A3D0B5

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4a0ee2547716cc2239a13e475f07845be0855458613b1d08ebd89e37e9b13f30
Instruction ID: 32ea380b144df05b93af683a140d50f37fba02456bf7eff2906e518cc65e07d7
Opcode Fuzzy Hash: 4a0ee2547716cc2239a13e475f07845be0855458613b1d08ebd89e37e9b13f30
Instruction Fuzzy Hash: E1612871905310AFDB25AFB4AD81BAE7BA6EF06330F14416EF945B7281E7329D01C790

Function 00A950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A95186
ShowWindow.USER32(?,00000000), ref: 00A951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A951D1

Part of subcall function 00A96FBA: DeleteObject.GDI32(00000000), ref: 00A96FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A9520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A9521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A9524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A95287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A95296

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction ID: 5434ca3c22c8594f17a5b87d614c1c94c42b4b67a96a01d72c8149e061e674fd
Opcode Fuzzy Hash: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction Fuzzy Hash: 11518C34F51A08BEEF26AF74CC4BBD93BE5AB05321F244212F6159A2E0C775A981DB41

Function 00A18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A5692D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction ID: 2bdee21cfd805c39d9f2373f934481f260ce4dae787eec7b21d2e409fb1ac0fb
Opcode Fuzzy Hash: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction Fuzzy Hash: 9D51B6B0A04209EFDB20CF64CC95FAA3BB6FF58760F104529F906972A0DB74E991DB50

Function 00A7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C182
GetLastError.KERNEL32 ref: 00A7C195
SetEvent.KERNEL32(?), ref: 00A7C1A9

Part of subcall function 00A7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
Part of subcall function 00A7C253: GetLastError.KERNEL32 ref: 00A7C322
Part of subcall function 00A7C253: SetEvent.KERNEL32(?), ref: 00A7C336
Part of subcall function 00A7C253: InternetCloseHandle.WININET(00000000), ref: 00A7C341

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction ID: 26ca5a32475109051999b190a084497b50dda11ed329cc31bef1f0ba47f53888
Opcode Fuzzy Hash: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction Fuzzy Hash: C6318371200B01AFDB21AFE5DD44AA7BBF8FF14320B50C52EF55A86611DB30E9159BA0

Function 00A625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A62627

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction ID: 22c968a20c34abd9f8b7063c80094a6d13e8831179a5e4205f09c022ab16f744
Opcode Fuzzy Hash: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction Fuzzy Hash: 4801D831390A20BBFB10A7A9DC8AF593F69DF5EB61F100012F314AE0D1CDE21445DA69

Function 00A61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A61449,?,?,00000000), ref: 00A6180C
HeapAlloc.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61828
GetCurrentProcess.KERNEL32(?,00000000,?,00A61449,?,?,00000000), ref: 00A61830
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61843
GetCurrentProcess.KERNEL32(00A61449,00000000,?,00A61449,?,?,00000000), ref: 00A6184B
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A6184E
CreateThread.KERNEL32(00000000,00000000,00A61874,00000000,00000000,00000000), ref: 00A61868

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction ID: 0f9539326aa416451551572a91ad027f5d12c64b39597cb6b12ff317fa1de331
Opcode Fuzzy Hash: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction Fuzzy Hash: 4601A8B5340708BFEA10EBA5DD4AF6B7BACEB89B11F504512FA05DB1A1CA7098018B34

Function 00A8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Part of subcall function 00A6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Part of subcall function 00A6D4DC: CloseHandle.KERNELBASE(00000000), ref: 00A6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A16D
GetLastError.KERNEL32 ref: 00A8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A8A268
GetLastError.KERNEL32(00000000), ref: 00A8A273
CloseHandle.KERNEL32(00000000), ref: 00A8A2C4

Strings

SeDebugPrivilege, xrefs: 00A8A18F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction ID: 3fda9390ebbb5054ee12bd9a3c6751b9113b9df887736ef60681faac84fca099
Opcode Fuzzy Hash: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction Fuzzy Hash: DF61C3702046429FE720EF18C494F56BBE1AF54318F18858DE4664F7A3DB76EC45CB92

Function 00A93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A93954
_wcslen.LIBCMT ref: 00A93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A939F4

Strings

SysListView32, xrefs: 00A938F7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction ID: 9787f35fb649b06185798f6fdaf07f34df19b13052bce25c5313b8f2765374ed
Opcode Fuzzy Hash: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction Fuzzy Hash: 52418372A00219ABEF21DFA4CC45BEE7BF9EF08354F100526F959E7281D7759980CB90

Function 00A6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A6BCFD
IsMenu.USER32(00000000), ref: 00A6BD1D
CreatePopupMenu.USER32 ref: 00A6BD53
GetMenuItemCount.USER32(00DD48B0), ref: 00A6BDA4
InsertMenuItemW.USER32(00DD48B0,?,00000001,00000030), ref: 00A6BDCC

Strings

2, xrefs: 00A6BD37
0, xrefs: 00A6BCA8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction ID: baaef7fb8a66a89a68a344589a70706ed3dc73afd86f2ca643db4e5fd87ec82c
Opcode Fuzzy Hash: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction Fuzzy Hash: 5751AF70A10205EBDF21DFA8D984BAEBBF8BF45324F14426AE851DB291D7709981CB71

Function 00A6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A6C913

Strings

blank, xrefs: 00A6C895
stop, xrefs: 00A6C8E4
question, xrefs: 00A6C8CC
warning, xrefs: 00A6C8FC
info, xrefs: 00A6C8B4

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction ID: 06da8e4084aedd268a0921de97156fcc1025e23335fc8b809f7504a8f9a42658
Opcode Fuzzy Hash: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction Fuzzy Hash: 4511B733689706BAE715DB54AC82DBA67BCDF19774B60043FF544A7282E7B05E005264

Function 00A6DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A6DE42
gethostname.WSOCK32(?,00000100), ref: 00A6DE5C
gethostbyname.WSOCK32(?), ref: 00A6DE69
inet_ntoa.WSOCK32(?), ref: 00A6DEAB
_strcat.LIBCMT ref: 00A6DEB9
WSACleanup.WSOCK32 ref: 00A6DEDE

Strings

0.0.0.0, xrefs: 00A6DE87

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: acab73e8df64b89ccaf156404820a2839f73994733967032691d98de15bbe745
Instruction ID: 971a7e5abc011dc7ba39e423440b05414e094c37137c2bbe25a3c90eaed40b68
Opcode Fuzzy Hash: acab73e8df64b89ccaf156404820a2839f73994733967032691d98de15bbe745
Instruction Fuzzy Hash: E611EC71A04114BFCB20EB64DD4AEDE77BCDF15761F01017AF545EA091EFB18A818A90

Function 00A99F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetSystemMetrics.USER32(0000000F), ref: 00A99FC7
GetSystemMetrics.USER32(0000000F), ref: 00A99FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A9A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A9A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A9A263
ShowWindow.USER32(00000003,00000000), ref: 00A9A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00A9A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A9A2CA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5145326515d142f4760cfc23eb5856d0e87aef73132a300abf72a367a495aec6
Instruction ID: 86367eb627fa2c222d937f4489209a0aa8343cce1f4ae110e805f794fda200e7
Opcode Fuzzy Hash: 5145326515d142f4760cfc23eb5856d0e87aef73132a300abf72a367a495aec6
Instruction Fuzzy Hash: F9B18831600215ABDF14CF68C9857EE7BF2BF54711F18816AEC499F2A5DB31A940CBA1

Function 00A6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A6ED2A
_wcslen.LIBCMT ref: 00A6ED3B
_wcslen.LIBCMT ref: 00A6ED79
_wcslen.LIBCMT ref: 00A6EDAF
_wcslen.LIBCMT ref: 00A6EDDF
_wcslen.LIBCMT ref: 00A6EDEF
_wcslen.LIBCMT ref: 00A6EE2B
_wcslen.LIBCMT ref: 00A6EE5A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction ID: 84eddd4972638356ba3da74961b31db1ec33c1ca38a0a7b2ba573692e1e93838
Opcode Fuzzy Hash: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction Fuzzy Hash: 22419375C10228B5DB11EBF8988A9CFB7BCAF49710F508472E528E3122FB34E255C3A5

Function 00A1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F454

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction ID: e6e4e121fb8258a03ac338f77976bb4e8cb36372f7fdb498ef0bd268193d6d05
Opcode Fuzzy Hash: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction Fuzzy Hash: 78414B312086C0BFD738EB79CD887AA7BA1BB46331F58443DE49756560D631A8C6CB10

Function 00A92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A92D1B
GetDC.USER32(00000000), ref: 00A92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A92DE1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction ID: edd99ada9995e53179ef94e937606816a25cf7a950baea29c25415e54404ae02
Opcode Fuzzy Hash: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction Fuzzy Hash: BB317C72201614BFEF118F90CC8AFEB3BA9EF09725F044056FE089A291CA759C51CBB4

Function 00A65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65637
_memcmp.LIBVCRUNTIME ref: 00A65659
_memcmp.LIBVCRUNTIME ref: 00A65671
_memcmp.LIBVCRUNTIME ref: 00A65684
_memcmp.LIBVCRUNTIME ref: 00A6569E
_memcmp.LIBVCRUNTIME ref: 00A656B1
_memcmp.LIBVCRUNTIME ref: 00A656C9
_memcmp.LIBVCRUNTIME ref: 00A656E4

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction ID: 4ade12e7f47ab12d75ef01133c44fd905f6deaa22368273b871fadf82fbda4c2
Opcode Fuzzy Hash: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction Fuzzy Hash: 2A219275F40A197BD6149635EF82FBA33BDAE20394F484430FD04AE681F720ED20C5A5

Function 00A84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A8502E, 00A85383
Not an Object type, xrefs: 00A85007

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a34a155ad4ce3180bf1c7a1e0b1bf5909374706e63137f38efe2168950ea5190
Instruction ID: a98c2c0ef161a9bd65158b6fecdd284f28ef5b5cb17912b940d9f50cda3abbae
Opcode Fuzzy Hash: a34a155ad4ce3180bf1c7a1e0b1bf5909374706e63137f38efe2168950ea5190
Instruction Fuzzy Hash: E2D1BD75E0060AAFDF10EFA8C894BAEB7B5FF48354F148569E915AB280E770DD41CB90

Function 00A41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A41651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A416FB

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A41777
__freea.LIBCMT ref: 00A417A2
__freea.LIBCMT ref: 00A417AE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction ID: 56f286b85454d15c56efd9267201aca7d60efa01ddd36b00d69c89fd09a36f3d
Opcode Fuzzy Hash: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction Fuzzy Hash: F391B27AE002169EDF208FA4C981AEEBBB5AFC9350F184659F805E7141EB35DD81CB61

Function 00A84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A84648
VariantInit.OLEAUT32(?), ref: 00A84749
VariantClear.OLEAUT32(?), ref: 00A84753
VariantClear.OLEAUT32(?), ref: 00A847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A845D8, 00A84706, 00A847BE
Incorrect Object type in FOR..IN loop, xrefs: 00A8472C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 32c5a4b1def31281427e87c68f1ca5accc5a4a951c60c9dc4125c05898e102ab
Instruction ID: bbe24ec0a9bb558ff49101f9469e3b6c2cf229161988cbead4b3a9efb0af268d
Opcode Fuzzy Hash: 32c5a4b1def31281427e87c68f1ca5accc5a4a951c60c9dc4125c05898e102ab
Instruction Fuzzy Hash: 3B917271A0021AAFDF24DFA5C844FAEBBB8EF4A714F108569F515AB280D7749941CFA0

Function 00A71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A71430

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 37bc00da856cca482e42e7c354bd0a981b254096afa1c064a88e539754126ada
Instruction ID: 8b99ec0e8ee5cf9a43073f09f3927062846b0be19d616ca37d318e1c4c542a85
Opcode Fuzzy Hash: 37bc00da856cca482e42e7c354bd0a981b254096afa1c064a88e539754126ada
Instruction Fuzzy Hash: F491AE75A00219AFDB00DFA8D884BBEB7F5FF45325F14C029E958EB292D774A941CB90

Function 00A1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction ID: 6156616d4041a3cb2eaa542d907c0222be5da6fff59dae446244282a81a8e96a
Opcode Fuzzy Hash: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction Fuzzy Hash: 5B913871D40219EFCB10CFA9CC84AEEBBB9FF49320F148155E915B7251D774AA86CB60

Function 00A83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A8396B
CharUpperBuffW.USER32(?,?), ref: 00A83A7A
_wcslen.LIBCMT ref: 00A83A8A
VariantClear.OLEAUT32(?), ref: 00A83C1F

Part of subcall function 00A70CDF: VariantInit.OLEAUT32(00000000), ref: 00A70D1F
Part of subcall function 00A70CDF: VariantCopy.OLEAUT32(?,?), ref: 00A70D28
Part of subcall function 00A70CDF: VariantClear.OLEAUT32(?), ref: 00A70D34

Strings

AUTOIT.ERROR, xrefs: 00A83A80, 00A83A85
Incorrect Parameter format, xrefs: 00A839A6, 00A83BA1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 036d1e2e9627abee2c17cb6039ded8e4b7b46eed1d260406f46a08eb067a7616
Instruction ID: e51aa12b5e6165b8df376e4dea182d164ec84b76dfb788267dd6220ec88bd356
Opcode Fuzzy Hash: 036d1e2e9627abee2c17cb6039ded8e4b7b46eed1d260406f46a08eb067a7616
Instruction Fuzzy Hash: 8B917A756083059FCB04EF24C58496AB7E4FF88714F14882DF88A9B351DB31EE45CB92

Function 00A84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
Part of subcall function 00A6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
Part of subcall function 00A6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
Part of subcall function 00A6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A84C51
_wcslen.LIBCMT ref: 00A84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A84DCF
CoTaskMemFree.OLE32(?), ref: 00A84DDA

Strings

NULL Pointer assignment, xrefs: 00A84E23, 00A84E52

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction ID: 75db48bb9f3113934378397d9fd1dd77965e87cf24d312e4bdeb255a95d91de5
Opcode Fuzzy Hash: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction Fuzzy Hash: 0C912871D0021DAFDF14EFA4D891EEEB7B8BF08314F10816AE915A7291EB309A45CF60

Function 00A87B7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A20242: EnterCriticalSection.KERNEL32(00AD070C,00AD1884,?,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2024D
Part of subcall function 00A20242: LeaveCriticalSection.KERNEL32(00AD070C,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2028A

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

__Init_thread_footer.LIBCMT ref: 00A87BFB

Part of subcall function 00A201F8: EnterCriticalSection.KERNEL32(00AD070C,?,?,00A18747,00AD2514), ref: 00A20202
Part of subcall function 00A201F8: LeaveCriticalSection.KERNEL32(00AD070C,?,00A18747,00AD2514), ref: 00A20235

Strings

G(>, xrefs: 00A87C96
Variable must be of type 'Object'., xrefs: 00A87C3A
G(>, xrefs: 00A87CD4, 00A87D73, 00A87D05, 00A87E05
(>, xrefs: 00A87D5C, 00A87C50
5, xrefs: 00A87C78

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: (>$5$G(>$G(>$Variable must be of type 'Object'.
API String ID: 535116098-4236395898
Opcode ID: 66f25a46794f9169abc2cc40bee8ec30e5beab80275d277c1650371bbff0f3b1
Instruction ID: 2510798b9498510f7d3bf591157fa69323f27f341310f3f2a807cf1c4e80e0b8
Opcode Fuzzy Hash: 66f25a46794f9169abc2cc40bee8ec30e5beab80275d277c1650371bbff0f3b1
Instruction Fuzzy Hash: 2B915875A04209EFCB14EF98D991DADB7B2FF48304F248059F806AB292DB71EE45CB51

Function 00A920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A92183
GetMenuItemCount.USER32(00000000), ref: 00A921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A921DD
_wcslen.LIBCMT ref: 00A92213
GetMenuItemID.USER32(?,?), ref: 00A9224D
GetSubMenu.USER32(?,?), ref: 00A9225B

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A922E3

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9632942464fe386151fcc006d5038e49e43e47a9e20edba3bdd568935a9ec893
Instruction ID: 110bff2a614c5263ff00f18c30f58a32718f75f61bdd6adaeaf9225aa05c50e6
Opcode Fuzzy Hash: 9632942464fe386151fcc006d5038e49e43e47a9e20edba3bdd568935a9ec893
Instruction Fuzzy Hash: B1717D75B00215AFCF10EFA8D945BAEB7F5EF88320F148469E816EB341DB34AD418B90

Function 00A97E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DD4900), ref: 00A97F37
IsWindowEnabled.USER32(00DD4900), ref: 00A97F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A9801E
SendMessageW.USER32(00DD4900,000000B0,?,?), ref: 00A98051
IsDlgButtonChecked.USER32(?,?), ref: 00A98089
GetWindowLongW.USER32(00DD4900,000000EC), ref: 00A980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A980C3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction ID: d365b3ed7a5157fe1bd7be03ccca02eec7841e24f32b7d26e8621db2f3a79ed5
Opcode Fuzzy Hash: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction Fuzzy Hash: 71717C34709214AFEF21DF64C994FAEBBF5EF0A310F14445AE946A7261CB35AC45DB20

Function 00A6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A6AEF9
GetKeyboardState.USER32(?), ref: 00A6AF0E
SetKeyboardState.USER32(?), ref: 00A6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A6B020

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction ID: 9d19545eed4c4ac27363df73d8c2b33f7e2670241321a85517ecdebae143cf38
Opcode Fuzzy Hash: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction Fuzzy Hash: 3751C2A0A147D53DFB3683348C45BBABEF95B06304F088489E1D9958C3C7A9ACC4DB62

Function 00A6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A6AD19
GetKeyboardState.USER32(?), ref: 00A6AD2E
SetKeyboardState.USER32(?), ref: 00A6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A6AE38

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction ID: 0a85e7a775ef423527265aa8e781541281b3e697c43c6c5c4b7c8ffc040b61a9
Opcode Fuzzy Hash: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction Fuzzy Hash: 0A5108A16047E57DFB3383348C95BBA7EF85B55300F088489E1D5668C3D7A5EC84DB62

Function 00A3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A43CD6,?,?,?,?,?,?,?,?,00A35BA3,?,?,00A43CD6,?,?), ref: 00A35470
__fassign.LIBCMT ref: 00A354EB
__fassign.LIBCMT ref: 00A35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A43CD6,00000005,00000000,00000000), ref: 00A3552C
WriteFile.KERNEL32(?,00A43CD6,00000000,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A3554B
WriteFile.KERNEL32(?,?,00000001,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A35584

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction ID: ef8afdda1fe4aaf7938fd958ad3d9e37c760b5a5d76fe0d6538fa80213b65e42
Opcode Fuzzy Hash: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction Fuzzy Hash: A2519071E00649AFDB10CFA8D845AEEBBF9EF09310F14456AF956E7291D730AA41CB60

Function 00A32051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A320C3
_free.LIBCMT ref: 00A320E3

Strings

(>, xrefs: 00A32076, 00A320B8, 00A320D8, 00A32158

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID: (>
API String ID: 269201875-1398077073
Opcode ID: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction ID: 9307b560e2bfbb5a727d4bf68968204168cbf2491b9fadc4f139f117826d673b
Opcode Fuzzy Hash: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction Fuzzy Hash: E741B132A00200AFCB24DF78C981B5EB7B5EF89714F1545A9F616EB391DA31AD01CB80

Function 00A22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A22D53
_ValidateLocalCookies.LIBCMT ref: 00A22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A22E0C
_ValidateLocalCookies.LIBCMT ref: 00A22E61

Strings

csm, xrefs: 00A22DF6

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction ID: feee4d2df80f0fd5f1e062d9b922675b8e7cea834ed4872612ed2839dfa94694
Opcode Fuzzy Hash: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction Fuzzy Hash: 4E419D35E00229BBCF10DF6CE845BAEBBB5BF45324F148165E815AB392D735AA05CB90

Function 00A810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A81112
WSAGetLastError.WSOCK32 ref: 00A81121
WSAGetLastError.WSOCK32 ref: 00A811C9
closesocket.WSOCK32(00000000), ref: 00A811F9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction ID: fd42c740b001dad7fa498e57a22e2a22a187b1be48b8e1acb4322ab9140ea617
Opcode Fuzzy Hash: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction Fuzzy Hash: BE41F431600604AFDB10EF54D888BA9B7E9FF45764F148259F9059B291DB70AD82CBE1

Function 00A6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A6CF45
MoveFileW.KERNEL32(?,?), ref: 00A6CF7F
_wcslen.LIBCMT ref: 00A6D005
_wcslen.LIBCMT ref: 00A6D01B
SHFileOperationW.SHELL32(?), ref: 00A6D061

Strings

\*.*, xrefs: 00A6CFF3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction ID: 8a7b5fef1d3e89a7b80b69048d6b051f375ea8e0b943336b3bd432efdca7a891
Opcode Fuzzy Hash: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction Fuzzy Hash: 59416971D452189FDF12EFA4DA81AEEB7B8AF08780F0000E6E545EB142EF34A785CB50

Function 00A92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A92E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A92E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A92E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A92EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A92EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A92EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A92F0B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction ID: d2b8a6463b02a633c54837e8c4b61c04ac5c1e38076472ce5de4b938fcd15124
Opcode Fuzzy Hash: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction Fuzzy Hash: B4310E35745240AFEF21CF98DCD4FA53BE0FB8A720F1501A6FA018B2B2CB61A8419B50

Function 00A67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6778F
SysAllocString.OLEAUT32(00000000), ref: 00A67792
SysAllocString.OLEAUT32(?), ref: 00A677B0
SysFreeString.OLEAUT32(?), ref: 00A677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A677DE
SysAllocString.OLEAUT32(?), ref: 00A677EC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fafc545124128af3af9b156329375ea4042d772b61f3cbd5b47531961759ca2d
Instruction ID: cc141da66d3234c5ae35470a26c1cf0146d928bed6a3e020b5e3d031d883954e
Opcode Fuzzy Hash: fafc545124128af3af9b156329375ea4042d772b61f3cbd5b47531961759ca2d
Instruction Fuzzy Hash: 87218E76718219AFDF10DFA8CD88CBF77BCEB09768B048126BA15DB190DA74DC428764

Function 00A677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67868
SysAllocString.OLEAUT32(00000000), ref: 00A6786B
SysAllocString.OLEAUT32 ref: 00A6788C
SysFreeString.OLEAUT32 ref: 00A67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A678AF
SysAllocString.OLEAUT32(?), ref: 00A678BD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5f25aeafa301df3098dbeb0f1254372594c0eca5c2706b1edfd9ffb3648a7e5f
Instruction ID: 53406930a27d483acfbecf581bf90ad2e65322bafce783038712e36c30559047
Opcode Fuzzy Hash: 5f25aeafa301df3098dbeb0f1254372594c0eca5c2706b1edfd9ffb3648a7e5f
Instruction Fuzzy Hash: D7215C36718204AFDF10AFE8DC8CDAE77BCEB097647108126B915CB2A1DA74DC81CB64

Function 00A704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A7052E

Strings

nul, xrefs: 00A70567

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction ID: 60847a61f8a852b82bd2604bc6b99800376817ad71d4a4fd76ebcf8043a56c68
Opcode Fuzzy Hash: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction Fuzzy Hash: 80216D75600305EBDF209F69DC44E9A7BB4AF54724F20CA19F8A9D62E0D7709941CF20

Function 00A705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A70601

Strings

nul, xrefs: 00A70639

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction ID: a255ff784e31f17bc10a3b1fa04c99ea06296c0229f040fabaa7288f08d2dbca
Opcode Fuzzy Hash: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction Fuzzy Hash: 12218375600305DBDB209F698C54E9A77E4BF95734F20CB1AF8A5E72D0DBB09961CB20

Function 00A940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A94145

Strings

Msctls_Progress32, xrefs: 00A940E3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction ID: 638a25ddf0199bf460be004d3b3ed89835d0505450d5bc2be6d431a3ac20e382
Opcode Fuzzy Hash: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction Fuzzy Hash: 0711B6B224011D7EEF118F64CC85EE77F9DEF08798F114111B718A2050C7769C22DBA4

Function 00A3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A3D7A3: _free.LIBCMT ref: 00A3D7CC

_free.LIBCMT ref: 00A3D82D

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D838
_free.LIBCMT ref: 00A3D843
_free.LIBCMT ref: 00A3D897
_free.LIBCMT ref: 00A3D8A2
_free.LIBCMT ref: 00A3D8AD
_free.LIBCMT ref: 00A3D8B8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae7fcd789960766625c394a40f1b6d8a2e79cbfab2602943b83fb950f3c6d686
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D0118F71940B14FADA31BFF0EE47FCBBBDCAF40700F400825B699AA292DA75B5058760

Function 00A6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A6DA74
LoadStringW.USER32(00000000), ref: 00A6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A6DA91
LoadStringW.USER32(00000000), ref: 00A6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A6DAB9

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction ID: 96556582262b0f30cbc2cfc998c96f4947e821687d9779def181c48699196f56
Opcode Fuzzy Hash: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction Fuzzy Hash: BD0162F2A042087FEB10DBE09D89EE7367CE708351F400596B706E2041EA749E854F74

Function 00A7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DCD028,00DCD028), ref: 00A7097B
EnterCriticalSection.KERNEL32(00DCD008,00000000), ref: 00A7098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A7099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A709A9
CloseHandle.KERNEL32(?), ref: 00A709B8
InterlockedExchange.KERNEL32(00DCD028,000001F6), ref: 00A709C8
LeaveCriticalSection.KERNEL32(00DCD008), ref: 00A709CF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction ID: 4d6b81e7a50dde10044fca618554b4a4cee21c510e0fdc892dc45daffb4e957d
Opcode Fuzzy Hash: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction Fuzzy Hash: 62F01D32542912EBDB41ABA4EE89AD6BA25BF01712F805016F201508A0CB75A466CFA0

Function 00A05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A05D30
GetWindowRect.USER32(?,?), ref: 00A05D71
ScreenToClient.USER32(?,?), ref: 00A05D99
GetClientRect.USER32(?,?), ref: 00A05ED7
GetWindowRect.USER32(?,?), ref: 00A05EF8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction ID: c95a61e64e0beb05e95ef7491fac186f6ce54a92d6e33f9a08d1e1fef1570246
Opcode Fuzzy Hash: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction Fuzzy Hash: C1B15739A00A4ADBDB14CFB9C4807EAB7F1FF58310F14941AE8A9D7290DB34AA51DF54

Function 00A301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A300D6
__allrem.LIBCMT ref: 00A300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A3010B
__allrem.LIBCMT ref: 00A30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A30140

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: f0c2f542ce8eb99528898409866193df5ef832fe3798f7ebf89b1a0de83daa13
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1A812476A00B169FE7249F2CDD52F6BB3F9AF41760F24423AF551D6681E770D9008B90

Function 00A81D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00A8101C,00000000,?,?,00000000), ref: 00A83195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A81DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A81DE1
WSAGetLastError.WSOCK32 ref: 00A81DF2
inet_ntoa.WSOCK32(?), ref: 00A81E8C
htons.WSOCK32(?,?,?,?,?), ref: 00A81EDB
_strlen.LIBCMT ref: 00A81F35

Part of subcall function 00A639E8: _strlen.LIBCMT ref: 00A639F2

Part of subcall function 00A06D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00A1CF58,?,?,?), ref: 00A06DBA
Part of subcall function 00A06D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00A1CF58,?,?,?), ref: 00A06DED

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: d3fb02eb4cb4f5716d1a9c51c6fdf046f6b1e62f1d002b75586bc250667325af
Instruction ID: a4bb6acc4dc4ad937b59e12fb53d716da202bdfbd42b7c7876bdabfabe04856a
Opcode Fuzzy Hash: d3fb02eb4cb4f5716d1a9c51c6fdf046f6b1e62f1d002b75586bc250667325af
Instruction Fuzzy Hash: 93A10231604340AFC324EF24D885F6A7BE9AF84318F54894DF5565B2E2DB31ED86CB92

Function 00A361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A282D9,00A282D9,?,?,?,00A3644F,00000001,00000001,8BE85006), ref: 00A36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A3644F,00000001,00000001,8BE85006,?,?,?), ref: 00A362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A363D8
__freea.LIBCMT ref: 00A363E5

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

__freea.LIBCMT ref: 00A363EE
__freea.LIBCMT ref: 00A36413

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction ID: 5abebf7b378d8d53bcfa6e9eb1004a8adc2efc93523d10bf95d12dd8e950b292
Opcode Fuzzy Hash: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction Fuzzy Hash: 2151AF73A00216BBEF258FA4DD81EBF7BA9EB44750F258629FC05DA141EB34DC44C6A0

Function 00A8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8BDF3
RegCloseKey.ADVAPI32(?), ref: 00A8BDFF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 26f231a3c22e13b4658901cf47fd7139a24363c968303c9c65a4c094b9cbb8bc
Instruction ID: 511f4b8cc296ec4e4d069add1d635fe6d48fa449b66d649c6e714e0cba0f7672
Opcode Fuzzy Hash: 26f231a3c22e13b4658901cf47fd7139a24363c968303c9c65a4c094b9cbb8bc
Instruction Fuzzy Hash: 2B81AF70218241EFD714EF24C991E2ABBE5FF84308F14895CF4598B2A2DB31ED45CBA2

Function 00A5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A5F860
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F889
VariantClear.OLEAUT32(00A5FA64), ref: 00A5F8AD
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F8B1
VariantClear.OLEAUT32(?), ref: 00A5F8BB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c7fd81e2e976bb476905c13bb52a53dfef2f6afacc4f788f6b64692c9c890ff7
Instruction ID: 7c4b8ac8a3667d3063d572f44ee9d99f331ad5eabe913366b3447ae397a09590
Opcode Fuzzy Hash: c7fd81e2e976bb476905c13bb52a53dfef2f6afacc4f788f6b64692c9c890ff7
Instruction Fuzzy Hash: 6E51C331600710FECF20AB65D995B29B3A8FF45312F248467ED06DF296DB709C84C796

Function 00A7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A794E5
_wcslen.LIBCMT ref: 00A79506
_wcslen.LIBCMT ref: 00A7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A79585

Strings

X, xrefs: 00A79412

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2fcbc83f255b1cf8bed8d96d1bebd61509d3efe41d080b3e9ffa099ce56d91fe
Instruction ID: a8755faad98f0ca7bedeabae7d2d62ad9079b7c26c9e3b559ed6df09c556a75a
Opcode Fuzzy Hash: 2fcbc83f255b1cf8bed8d96d1bebd61509d3efe41d080b3e9ffa099ce56d91fe
Instruction Fuzzy Hash: AFE1C1316083508FD724EF24D981A6BB7E4BF85314F04C96DF8999B2A2DB30ED05CB92

Function 00A1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

BeginPaint.USER32(?,?,?), ref: 00A19241
GetWindowRect.USER32(?,?), ref: 00A192A5
ScreenToClient.USER32(?,?), ref: 00A192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A192D3
EndPaint.USER32(?,?,?,?,?), ref: 00A19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A571EA

Part of subcall function 00A19339: BeginPath.GDI32(00000000), ref: 00A19357

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction ID: e4b374a5aee486f51ff5e243cec6e708fb0a858d6cd9a253fe2872630047e13d
Opcode Fuzzy Hash: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction Fuzzy Hash: 46419F30205600AFD711DFA4DCA4FAB7BB8FB45721F14022AF9659B2B2C7319886DB61

Function 00A707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A70847
EnterCriticalSection.KERNEL32(?), ref: 00A70863
LeaveCriticalSection.KERNEL32(?), ref: 00A708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A70921

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 43007442080a38690095bddabce0a26ea62251ee756a73e2165b1d2560b5b736
Instruction ID: c220fcf0bdea55aea871ea97c5b261053893a1238374e3ff5b237cf34ddd84ea
Opcode Fuzzy Hash: 43007442080a38690095bddabce0a26ea62251ee756a73e2165b1d2560b5b736
Instruction Fuzzy Hash: DA415A71A00205EFDF14EF94DD85AAA77B8FF44310F1480A5ED049A29BDB30DE65DBA4

Function 00A981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A5F3AB,00000000,?,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A9824C
EnableWindow.USER32(?,00000000), ref: 00A98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A982D1
ShowWindow.USER32(?,00000004), ref: 00A982E5
EnableWindow.USER32(?,00000001), ref: 00A9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A9832F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction ID: 41513ff057d9702e5db00cfb8b234b7688b35db65dc702a26bc8f71d1bfcb7dd
Opcode Fuzzy Hash: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction Fuzzy Hash: B141A334702644AFDF21CF55C899BE57BE0FB0B714F1841AAE5194F2A3CB39A842CB50

Function 00A64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A64CEA
_wcslen.LIBCMT ref: 00A64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A64D10
_wcsstr.LIBVCRUNTIME ref: 00A64D1A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b5bbba07e5a8d6c566ae4f42ccd51075710bc1d9cccd0a4e6613daf374cd68f8
Instruction ID: f17684cdea2c4f6f915b35529e998546814ff7aa7c5ee4205c2d32ec94093575
Opcode Fuzzy Hash: b5bbba07e5a8d6c566ae4f42ccd51075710bc1d9cccd0a4e6613daf374cd68f8
Instruction Fuzzy Hash: B9212332604240BFEB259B79AD09E7B7BBCDF49760F10803AF905CA192EE65CC4192A0

Function 00A7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

_wcslen.LIBCMT ref: 00A7587B
CoInitialize.OLE32(00000000), ref: 00A75995
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A759AE
CoUninitialize.OLE32 ref: 00A759CC

Strings

.lnk, xrefs: 00A75876, 00A758C1, 00A75985

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction ID: 4a48f8e26921f519df361aa05691acb94875db37a42af91bb0abd343b21c8f6e
Opcode Fuzzy Hash: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction Fuzzy Hash: 20D16471A047059FC714DF24C980A2ABBE5FF89714F14885DF88A9B3A1DB71EC45CB92

Function 00A6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
Part of subcall function 00A60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
Part of subcall function 00A60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
Part of subcall function 00A60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

GetLengthSid.ADVAPI32(?,00000000,00A61335), ref: 00A617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A617BA
HeapAlloc.KERNEL32(00000000), ref: 00A617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A617DA
GetProcessHeap.KERNEL32(00000000,00000000,00A61335), ref: 00A617EE
HeapFree.KERNEL32(00000000), ref: 00A617F5

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction ID: 9e2671dfd828c5a43d49ea4cbc838c73708b28f6421e5fbbd9775dea6c98a8af
Opcode Fuzzy Hash: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction Fuzzy Hash: B211A932600605EFDB10DFA4CC49FAE7BB9EB42365F284119F481A7210DB36AA41CF60

Function 00A614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A61515
CloseHandle.KERNEL32(00000004), ref: 00A61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A61563

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction ID: 0414117875b03b1671c0511ff84b22cafe411837f6e30a99979bc7cefb77886f
Opcode Fuzzy Hash: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction Fuzzy Hash: CB112972601209ABDF11CFE8EE49FDE7BB9EF48758F084015FA05A2060C7758E61DB61

Function 00A23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A23379,00A22FE5), ref: 00A23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A233B7
SetLastError.KERNEL32(00000000,?,00A23379,00A22FE5), ref: 00A23409

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e661b98aa4efb7b545022488b87a1135b76c451b0bf31284754ea62c14f089a3
Instruction ID: 5c310506349c6f9e0950964ae93798d8d8a8b71998f7efaeb234ba776a6fa5e6
Opcode Fuzzy Hash: e661b98aa4efb7b545022488b87a1135b76c451b0bf31284754ea62c14f089a3
Instruction Fuzzy Hash: 23012433208731BEEE24B7BC7D85A272A99EB07779720023AF410881F0FF194E035144

Function 00A32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A35686,00A43CD6,?,00000000,?,00A35B6A,?,?,?,?,?,00A2E6D1,?,00AC8A48), ref: 00A32D78
_free.LIBCMT ref: 00A32DAB
_free.LIBCMT ref: 00A32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DEC
_abort.LIBCMT ref: 00A32DF2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 34e6501072c56248229714c0e6f4f28692958e4fe5f817657149556f5ecf882e
Instruction ID: 74eea2cd0f2f9b6f1f46d98381c43a73bcfc2fa5aecfb744ae39553bfba63419
Opcode Fuzzy Hash: 34e6501072c56248229714c0e6f4f28692958e4fe5f817657149556f5ecf882e
Instruction Fuzzy Hash: 35F0F632645A102BD62277B9BD0AF5F2669AFC27F1F250519F828D71E2EF3488035360

Function 00A98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A98A70
LineTo.GDI32(?,00000000,00000003), ref: 00A98A80
EndPath.GDI32(?), ref: 00A98A90
StrokePath.GDI32(?), ref: 00A98AA0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction ID: f1f16c95e15adf28856db22ce8a093a06689e78649e42220e3583e3252f132d2
Opcode Fuzzy Hash: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction Fuzzy Hash: FC11CC76140149FFDF11DFD4EC48E9A7F6DEB04364F048012FA1996161CB719D56DB60

Function 00A651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A65230
ReleaseDC.USER32(00000000,00000000), ref: 00A65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A65261

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction ID: d86f078c78ac607f304fa7cf88e05e8ac160a1f3d98c8e60029ab0ac39033b7a
Opcode Fuzzy Hash: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction Fuzzy Hash: 30014475E00B14BBEB109BF59C49A5EBFB8EF44761F144066FA04A7281DA709905CB60

Function 00A01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction ID: d59b012671a552ab9af5031eb7f5e11aec87810618e417dafd9cb8c593d45c03
Opcode Fuzzy Hash: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction Fuzzy Hash: BD016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00A6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB75

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction ID: 1e1ee81b0f1fcf9c806b6f8d25715af7e6a9f681fdd2d4bbd260dd1874641aac
Opcode Fuzzy Hash: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction Fuzzy Hash: 8CF05472340958BBE72197929C0EEEF7E7CEFCAB21F00415AF601D1091DBA45A02C6B5

Function 00A57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A57469
GetWindowDC.USER32(?), ref: 00A57475
GetPixel.GDI32(00000000,?,?), ref: 00A57484
ReleaseDC.USER32(?,00000000), ref: 00A57496
GetSysColor.USER32(00000005), ref: 00A574B0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction ID: cf6bc9378648e34db58272fe58cd67263710f754979e82a03ef3382a067b224d
Opcode Fuzzy Hash: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction Fuzzy Hash: F6014B31600615EFDB519FA8EC08BAE7BB5FB04322F614165FE16A21A1CF311E52EB50

Function 00A61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6187F
UnloadUserProfile.USERENV(?,?), ref: 00A6188B
CloseHandle.KERNEL32(?), ref: 00A61894
CloseHandle.KERNEL32(?), ref: 00A6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A618A5
HeapFree.KERNEL32(00000000), ref: 00A618AC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction ID: 39223bf13f0c78dd19ff82e4f26d758fa219ca552a274ea899b37b72cca18e08
Opcode Fuzzy Hash: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction Fuzzy Hash: E1E0C236204901BBDA019BE1EE0C90ABB29FB49B32B208222F22585070CF329422DB64

Function 00A6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C6EE
_wcslen.LIBCMT ref: 00A6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A6C7CA

Strings

0, xrefs: 00A6C6AF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7e12e4caefd913a3ffeae515f87f42df7cd80e61a6a4d9e206dd6871e9704876
Instruction ID: 6026c9ed2ba2e4e0ab7a6fd70f3b55ba9958cdfd0fd9ae00663f969b567fa453
Opcode Fuzzy Hash: 7e12e4caefd913a3ffeae515f87f42df7cd80e61a6a4d9e206dd6871e9704876
Instruction Fuzzy Hash: AA51CD71604340ABD7109F28D985B7BB7F8AF49324F040A2AF9E6D32E1DB70D9448B96

Function 00A8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A8AEA3

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetProcessId.KERNEL32(00000000), ref: 00A8AF38
CloseHandle.KERNEL32(00000000), ref: 00A8AF67

Strings

<, xrefs: 00A8AE6B
@, xrefs: 00A8AE72

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a27840ec1f7d52aaf0bb495fc53a5b228993cab69447bdc69a0de68dcfd16dc7
Instruction ID: b6669b0cb916bd908a94419e5a292a6b014b19a9fa52a7a48c565284dfd145ec
Opcode Fuzzy Hash: a27840ec1f7d52aaf0bb495fc53a5b228993cab69447bdc69a0de68dcfd16dc7
Instruction Fuzzy Hash: A6717B71A00619DFDB14EF94D584A9EBBF0FF08314F04849AE816AB392CB75ED85CB91

Function 00A6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A672CF

Strings

DllGetClassObject, xrefs: 00A67242

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction ID: be58f5e44c5eb6243ddf1acba8247e47155d7bddefbb4e3a1dd0b700930f51f8
Opcode Fuzzy Hash: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction Fuzzy Hash: 2B417EB1A14204EFDB15CFA4C894A9E7BB9EF44718F2480ADFD059F20AD7B0D945CBA0

Function 00A93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93E35
IsMenu.USER32(?), ref: 00A93E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93E92
DrawMenuBar.USER32 ref: 00A93EA5

Strings

0, xrefs: 00A93D89

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction ID: b4cf87a107e8144532104bdd84a3c6c39fb511e425d7d018d28bbea143d08f4f
Opcode Fuzzy Hash: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction Fuzzy Hash: ED411876A01209AFDF10DF94D884AAABBF9FF49364F044129E905AB250D730AE55CF50

Function 00A61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A61E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A61E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A61EA9

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Strings

ComboBox, xrefs: 00A61DF0
ListBox, xrefs: 00A61E25

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 59dff03aeaacff3964b379e2ece761de0162e8615b49a801c1b539fdc3b86c84
Instruction ID: ce66fdbcaee863eead2e02d33891752140884ec0ec24bf27e0b1dc7955e3071a
Opcode Fuzzy Hash: 59dff03aeaacff3964b379e2ece761de0162e8615b49a801c1b539fdc3b86c84
Instruction Fuzzy Hash: 2C212772E00108BEDB14ABA4DD45DFFBBB8EF45360B184519F925A71E1DB398D0A9620

Function 00A8C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A8C9F1
_wcslen.LIBCMT ref: 00A8CA68
_wcslen.LIBCMT ref: 00A8CA9E
_wcslen.LIBCMT ref: 00A8CAF9
_wcslen.LIBCMT ref: 00A8CB2F
_wcslen.LIBCMT ref: 00A8CB7F

Strings

HKLM, xrefs: 00A8CA98, 00A8CA9D
HKEY_LOCAL_MACHINE, xrefs: 00A8CA62, 00A8CA67

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: e42fb251255f5e58b2e5431efb75e70a5c8e8bdbbc9a25522f2b65308f5ce1be
Instruction ID: 850b90e42f9664406b5a2aa0d2644f80a774d0c6b8f5f5e9eebfa7dfe07eb98d
Opcode Fuzzy Hash: e42fb251255f5e58b2e5431efb75e70a5c8e8bdbbc9a25522f2b65308f5ce1be
Instruction Fuzzy Hash: B631F873A001694BCB28FF6C99405BFB3939BA17E4B15402AE855AB345F671CE84DBB0

Function 00A92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A92F8D
LoadLibraryW.KERNEL32(?), ref: 00A92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A92FA9
DestroyWindow.USER32(?), ref: 00A92FB1

Strings

SysAnimate32, xrefs: 00A92F68

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction ID: c040788bda2f914ed54f1cd814d360e45fcaa45dd3a48c3d25de15fb349ae8d3
Opcode Fuzzy Hash: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction Fuzzy Hash: 9C218872300209BBEF108FA4DC84FBB37F9EB59364F104619FA5492190D771DC619760

Function 00A24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002), ref: 00A24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000), ref: 00A24DC3

Strings

mscoree.dll, xrefs: 00A24D86
CorExitProcess, xrefs: 00A24D98

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction ID: 78ee3b45ada72faf3f98995a5aec838d125340859a6ae17d7e12b668357b8809
Opcode Fuzzy Hash: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction Fuzzy Hash: 65F06234A40618BBDB119FD4EC49FAEBFB5EF48761F4001A5F809A22A0CF345D41CB94

Function 00A04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

Strings

kernel32.dll, xrefs: 00A04E94
Wow64DisableWow64FsRedirection, xrefs: 00A04EA8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction ID: 679f7aa8226b20c40453a0ca06dddb066e21fbf6f73453acc0fe36d1a6491b20
Opcode Fuzzy Hash: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction Fuzzy Hash: 46E08636B059226BD2215765BC18B9B6554BF85F727150216FD04D2150DF64CD0340E4

Function 00A04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Strings

kernel32.dll, xrefs: 00A04E5B
Wow64RevertWow64FsRedirection, xrefs: 00A04E6E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction ID: 973f82e7c58c34baffe6155ed56ea155c4b5f3bea64f8428112b1576b9f72e0e
Opcode Fuzzy Hash: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction Fuzzy Hash: B5D0C232702E2167CA221B24BC08ECB2A18BF89F31315061AFA09A2190CF24CD0281D4

Function 00A72947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72C05
DeleteFileW.KERNEL32(?), ref: 00A72C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CC0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e00c01bd5b05791c0d87e4ffdd51c805609380a8a55602d53313c365cbe9df56
Instruction ID: 20886968a658521a7ff6536041a08dd0b97f5e19acc6973d33c93135e9bd5ac7
Opcode Fuzzy Hash: e00c01bd5b05791c0d87e4ffdd51c805609380a8a55602d53313c365cbe9df56
Instruction Fuzzy Hash: 28B13D72D0012DABDF11DFA4DD85EDEB7BDEF49350F1080A6F509E6141EA309A448F61

Function 00A8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A8A468
CloseHandle.KERNEL32(?), ref: 00A8A63D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction ID: 8ebe37126079eb4e6333eeb7daef571d0c15157dda3d69e6961c953d5f5bbae3
Opcode Fuzzy Hash: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction Fuzzy Hash: 34A1C1716043019FE720EF28D986F2AB7E1AF94714F14881DF55A9B2D2DBB0EC41CB92

Function 00A6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A6E473
MoveFileW.KERNEL32(?,?), ref: 00A6E4AC
_wcslen.LIBCMT ref: 00A6E5EB
_wcslen.LIBCMT ref: 00A6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A6E650

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction ID: a441ac083c3932a5828867dbf16d47c9a47e9a4519f68f33a7765ebe770d1a1f
Opcode Fuzzy Hash: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction Fuzzy Hash: 7C51A6B25083849FC724EBA4DD819DF73ECAF84340F00492EF689D3191EF75A6888766

Function 00A8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A8BBB3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction ID: a1cec1487fd8217669209f3e8e3c17e28d1fb76e709ffbd4edbe83dc11847b54
Opcode Fuzzy Hash: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction Fuzzy Hash: 7161C131218245EFD314EF14C494E2ABBE5FF84348F14855CF4998B2A2DB31ED45CBA2

Function 00A68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A68BCD
VariantClear.OLEAUT32 ref: 00A68C3E
VariantClear.OLEAUT32 ref: 00A68C9D
VariantClear.OLEAUT32(?), ref: 00A68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A68D3B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction ID: cb85d848ac305a2708d25f898836cd42037ec7dab6ea5414ac712b2957518ead
Opcode Fuzzy Hash: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction Fuzzy Hash: 05517BB5A00619EFCB10CF68C884AAAB7F8FF89310B158559F915DB350EB34E911CFA0

Function 00A78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A78C5F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4788c65eaa30509b06f8cd2d78289836d559829d845fc35bf395ac4d1812fe5f
Instruction ID: df54a7b35975c5257fb5e0b6d2219913ed42608df30b7fd7297eed5cf2cb322e
Opcode Fuzzy Hash: 4788c65eaa30509b06f8cd2d78289836d559829d845fc35bf395ac4d1812fe5f
Instruction Fuzzy Hash: D5513A35A002199FCB01DF64C985AADBBF5BF48314F08C459E84AAB3A2CB35ED41CB90

Function 00A88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A89032
FreeLibrary.KERNEL32(00000000), ref: 00A89052

Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A71043,?,753CE610), ref: 00A1F6E6
Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A5FA64,00000000,00000000,?,?,00A71043,?,753CE610,?,00A5FA64), ref: 00A1F70D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction ID: 13503d135921f7dee3039b2cbde48057286721356ea64f81255de090f4e4c245
Opcode Fuzzy Hash: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction Fuzzy Hash: D3514035605205DFC711EF54C5848AEBBF1FF49324B488099E91A9B362DB31ED86CF91

Function 00A96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A7AB79,00000000,00000000), ref: 00A96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A96CC7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction ID: 4a363215b8c02cd0fbccb14b664e4e05b5a828b2c9d0c7280b815294bffd712b
Opcode Fuzzy Hash: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction Fuzzy Hash: CC41AE35B04104AFDF24CF68CD98FA97BE5EF09360F150229F999A72A0D771AD41CA50

Function 00A1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A19141
ScreenToClient.USER32(00000000,?), ref: 00A1915E
GetAsyncKeyState.USER32(00000001), ref: 00A19183
GetAsyncKeyState.USER32(00000002), ref: 00A1919D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction ID: 9fe5dfc5bb04af64d29e6c0b42b1bb7b2097e211f4e22a78cccaa8f43f7ad739
Opcode Fuzzy Hash: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction Fuzzy Hash: ED414075A0851ABBDF159F64D858BEEB7B4FB05324F204315E829A72E0C7306994CB51

Function 00A73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A73922
TranslateMessage.USER32(?), ref: 00A7394B
DispatchMessageW.USER32(?), ref: 00A73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction ID: 3fe6224245ae54e277d60265203044073d9b1059e34f9d90f2cbe8d2c3e930c0
Opcode Fuzzy Hash: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction Fuzzy Hash: E1312B72605341AEEF34CBB4DC68BB637E8AB05300F05C56ED56B86190D7F49686EB11

Function 00A7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFF2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 72ba3b961f77897d3c22397eb56b7705a81c86f755681cf65582aa61c04f20f6
Instruction ID: ae8368b4f7f968a5f652e233dc9e013dcff3a40c02d75068f1e213a9de152619
Opcode Fuzzy Hash: 72ba3b961f77897d3c22397eb56b7705a81c86f755681cf65582aa61c04f20f6
Instruction Fuzzy Hash: 77314871600705AFDB20DFA5DD84AABBBF9EB14365B10C42EF50AE2141DB30AE41DB60

Function 00A61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A619E2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction ID: 19e0d62a5a4ce8aa60570a2778015c84231e182a1991c92f8bd3154abaea5da3
Opcode Fuzzy Hash: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction Fuzzy Hash: 1931C072A00219EFCB00CFA8CD99ADE3FB5EB04325F144229FA21A72D1C7709944CB90

Function 00A95706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A95745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A9579D
_wcslen.LIBCMT ref: 00A957AF
_wcslen.LIBCMT ref: 00A957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A95816

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4f240ba0b22478a0d3beb63253c0ac92dd810cc3c6818370fd74399a5fd5d25b
Instruction ID: aecf2d0006e03b38973ed860b6ac8e1ddf88e0f35c54996e9872a7509de3a3c3
Opcode Fuzzy Hash: 4f240ba0b22478a0d3beb63253c0ac92dd810cc3c6818370fd74399a5fd5d25b
Instruction Fuzzy Hash: 0021A271E04618AADF21CFB4DC86AEE77F9FF44720F108216E929EA180D7748A85CF50

Function 00A80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A80951
GetForegroundWindow.USER32 ref: 00A80968
GetDC.USER32(00000000), ref: 00A809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A809B0
ReleaseDC.USER32(00000000,00000003), ref: 00A809E8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction ID: 233b1afd734121e1934ced1394b2f107dd8970d34ec82aeb2bdf4bbbf5f5e8a5
Opcode Fuzzy Hash: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction Fuzzy Hash: 3D218135600204AFD714EFA9DD84EAEBBF5EF48710F048069E85A97362DB30AC45CB50

Function 00A3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A3CDE9

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A3CE0F
_free.LIBCMT ref: 00A3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A3CE31

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction ID: 50fb3b615565c8cbd430db8defca39829d0824a78bc2a17be3297b72020f22d1
Opcode Fuzzy Hash: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction Fuzzy Hash: D301F7726016257FA32167B67C8CD7B796DDEC6FB1B25012AFD05E7201EE618D0283B0

Function 00A19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
SelectObject.GDI32(?,00000000), ref: 00A196A2
BeginPath.GDI32(?), ref: 00A196B9
SelectObject.GDI32(?,00000000), ref: 00A196E2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction ID: 9c698bfe9f34a13daa270c2dc566a059126c62d7ae6a2cec38a95ba45a29e811
Opcode Fuzzy Hash: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction Fuzzy Hash: 16214F70902305FBDB11DFA4EC247EA3BB8BB50365F500217F832A61B1D7705896CBA5

Function 00A1990C Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1
GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction ID: 2cf01ada42b638b18110af098a933ee82c89fba5cd25244bbde2929007e79930
Opcode Fuzzy Hash: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction Fuzzy Hash: B9212731246250AFCB128F64EC64AEB3B70EF13771B18425EF9928E1B1CB314982CB51

Function 00A65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65726
_memcmp.LIBVCRUNTIME ref: 00A65744
_memcmp.LIBVCRUNTIME ref: 00A65757
_memcmp.LIBVCRUNTIME ref: 00A6576F
_memcmp.LIBVCRUNTIME ref: 00A65787

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction ID: 1ecb057d2465bf82627e3c1dda88e109bf2535628c7c7e6063a767060c298ddc
Opcode Fuzzy Hash: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction Fuzzy Hash: 88015271B41619BE96089625AF82EBA63ADAB613A4F004831FD04AE641F661ED2082A5

Function 00A32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A2F2DE,00A33863,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6), ref: 00A32DFD
_free.LIBCMT ref: 00A32E32
_free.LIBCMT ref: 00A32E59
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E66
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E6F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0bd5591baed54b0841636082d7d9e8b259b4ae17ab2f1a01f9699a4a3b7b4199
Instruction ID: 02732ed2f91cf8ed0c859eac605fe74d289a8f1124a06a4c54ecbbb08dae9366
Opcode Fuzzy Hash: 0bd5591baed54b0841636082d7d9e8b259b4ae17ab2f1a01f9699a4a3b7b4199
Instruction Fuzzy Hash: DA012832205A006BCA12A7B57D47F2B2E6DABD53B1F350129F425A32D2EF748C025320

Function 00A6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60070

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction ID: 101e40950ba63da1b79d5fbd3647a978cc2826e6341260cce97b4cc864b4cfe7
Opcode Fuzzy Hash: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction Fuzzy Hash: E9018B72600604BFDB118FA8DC08FAB7ABDEB447A2F158125F905D6210EBB1DD818BA0

Function 00A6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A6E9A5
Sleep.KERNEL32(00000000), ref: 00A6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A6E9B7
Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction ID: 0c535de7a9f2c8124ee1f653b8a194cafd24f80cbc26ccab5b3228fde1841dc2
Opcode Fuzzy Hash: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction Fuzzy Hash: B5015736D01A29DBCF00EFE5DC59AEDFB78FF08B11F100646E502B2241CB3095528BA5

Function 00A610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction ID: c93e927c7b119286f0fcf53d5604c6e961f3c4db56427abd5c7b4303fb83be9d
Opcode Fuzzy Hash: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction Fuzzy Hash: 420169B5200605BFDB118FA4DC49A6A3F7EEF8A3A4B64441AFA41C7360DE31DC018A60

Function 00A60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction ID: 48363efb599037a27e54772bcd87541d64c2928b5bd66f3e292d6b60135ae1f5
Opcode Fuzzy Hash: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction Fuzzy Hash: 70F04935200711ABDB218FA49C49F5A3FADEF89762F654426FA46C6261CE70DC418A70

Function 00A61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction ID: a92120eac476aefc21a70bcefec27f2baab0b663cad73d2c597e6f6adb3cb1ef
Opcode Fuzzy Hash: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction Fuzzy Hash: 58F04935200711ABDF219FA4EC49F5A3FADEF89761F650426FA45C6260CE70D8418AB0

Function 00A7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70324
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70331
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7033E
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7034B
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70358
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70365

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction ID: 2ce346ca514176ba4b860f85a8932369e058d0b492f785948d50bc46c5037c65
Opcode Fuzzy Hash: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction Fuzzy Hash: B6019C72800B15DFCB30AF66DC90812FBF9BE60215315CA3FD1AA96931C7B1A959CE80

Function 00A3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3D752

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D764
_free.LIBCMT ref: 00A3D776
_free.LIBCMT ref: 00A3D788
_free.LIBCMT ref: 00A3D79A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction ID: 5914ccdffadc1f388180d3b5ec996becf0d32926e5a1719fb72451a6861c34c1
Opcode Fuzzy Hash: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction Fuzzy Hash: D5F0BD72545218EBC625EBA8FAC6E1A7BDDBB84720FA50C45F049E7552CB30FC818B64

Function 00A65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A65C6F
MessageBeep.USER32(00000000), ref: 00A65C87
KillTimer.USER32(?,0000040A), ref: 00A65CA3
EndDialog.USER32(?,00000001), ref: 00A65CBD

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction ID: ad78c37a428a6b9068f2ca7eb53d9d7ab1e74e954ae45a28e89f573b2be2402f
Opcode Fuzzy Hash: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction Fuzzy Hash: 1B018B30A00B049FEB245B60DD8EF9577B8BB01705F00155AA643A10E1DFF099458B50

Function 00A322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A322BE

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A322D0
_free.LIBCMT ref: 00A322E3
_free.LIBCMT ref: 00A322F4
_free.LIBCMT ref: 00A32305

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction ID: f02410b43b5178ff8e66c782a0d38d1d91e25e92d5cec12cda54850322e63ad0
Opcode Fuzzy Hash: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction Fuzzy Hash: 07F0B7798021209BC612EFD8BD01F893B65F758761F16059BF416D62B1C7310953AFE4

Function 00A195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A195D4
StrokeAndFillPath.GDI32(?,?,00A571F7,00000000,?,?,?), ref: 00A195F0
SelectObject.GDI32(?,00000000), ref: 00A19603
DeleteObject.GDI32 ref: 00A19616
StrokePath.GDI32(?), ref: 00A19631

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction ID: 2b3669a2b752de7f344ec0c9654288c248786406ab24ab36680bdc36f3c60a3a
Opcode Fuzzy Hash: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction Fuzzy Hash: 7DF0EC31106604EBDB16DFA9ED2C7A53B65AB01332F548216F476550F1CB308997DF34

Function 00A30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A310F9
__freea.LIBCMT ref: 00A31117

Part of subcall function 00A31537: _free.LIBCMT ref: 00A3154F

Strings

am/pm, xrefs: 00A3117A
a/p, xrefs: 00A311DE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction ID: cd281fbb3994b15fc40aa4804f9ab34a19ce65af5879f631bf62fd11189109aa
Opcode Fuzzy Hash: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction Fuzzy Hash: A8D11471900206DBDB689F68C895BFEB7B1FF06700F28426AF941AF651D3759D80CB91

Function 00A62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621D0,?,?,00000034,00000800,?,00000034), ref: 00A6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A62760

Part of subcall function 00A6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A6B3F8

Part of subcall function 00A6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A6B355
Part of subcall function 00A6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B365
Part of subcall function 00A6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A6281A

Strings

@, xrefs: 00A62832

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction ID: 8a871380b80e17aff9cc5f2d6ea7e1cc2413c2487f95069e100bdf134c96d582
Opcode Fuzzy Hash: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction Fuzzy Hash: AC41FB76A00218AFDB10DFA4CD46FEEBBB8AF09700F108055FA55B7181DB706E85DBA1

Function 00A3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A31769
_free.LIBCMT ref: 00A31834
_free.LIBCMT ref: 00A3183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A31760, 00A31767, 00A31796, 00A317CE

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction ID: 6ed037ce93f42389936c587309eb988de3bad39b56ab3eb5b9e6e1d6778e5b85
Opcode Fuzzy Hash: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction Fuzzy Hash: 13316975A01218FFDB21DB999D85E9EBBFCEB85310F1441ABF80597211DA708E41CBA4

Function 00A6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD1990,00DD48B0), ref: 00A6C395

Strings

0, xrefs: 00A6C2DF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction ID: 1d2c24a4f65a41b64c593825230d5596344490ca0b2d25c834dfc2f6f8b770c2
Opcode Fuzzy Hash: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction Fuzzy Hash: 59419E712043019FD720DF29D884B6ABBF8AF85320F148A1EF9A59B3D1D730E904CB62

Function 00A94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A9CC08,00000000,?,?,?,?), ref: 00A944AA
GetWindowLongW.USER32 ref: 00A944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A944D7

Strings

SysTreeView32, xrefs: 00A9447C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction ID: ad98061aa46175b343176c5698db15c4625965c0ffcb8bfea93ea13696cf65b6
Opcode Fuzzy Hash: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction Fuzzy Hash: 58317A32210605ABDF208F78DC45FEA7BE9EB48334F214719F979A21E0DB70AC529B50

Function 00A8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A83077,?,?), ref: 00A83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
_wcslen.LIBCMT ref: 00A8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A83106

Strings

255.255.255.255, xrefs: 00A83095, 00A8309A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction ID: 2fbd8e8bb7806d652f2a0c437a82209548d481bbd0e5c0025a87d3e44a4f4742
Opcode Fuzzy Hash: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction Fuzzy Hash: 4931C1366042059FCF10EF68C585EAA77F0EF14B18F248159E9168B392DB72EE46C761

Function 00A93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A93F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A93F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A93F78

Strings

SysMonthCal32, xrefs: 00A93F0B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction ID: 23c7b2c9e904510fe47af9bd59a399524ee5f25fe2873eb90079efc6be6aefb5
Opcode Fuzzy Hash: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction Fuzzy Hash: 72219C33600219BFDF25CF90DC46FEA3BB9EF48724F110215FA156B1D0DAB5A9518BA0

Function 00A94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A9471A

Strings

msctls_updown32, xrefs: 00A94684

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction ID: 70f640599521648f0af704305768db8a84987f178316afef62210d3249cac9a4
Opcode Fuzzy Hash: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction Fuzzy Hash: 7E214FB5600208AFEB10DFA4DCD1DBA37EDEB5E3A4B140459F6019B251DB30EC12CA60

Function 00A695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6961D

Strings

#OnAutoItStartRegister, xrefs: 00A695F3
#requireadmin, xrefs: 00A695D9
#notrayicon, xrefs: 00A695B7

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9ea253864cb89facb0662e79ec9263f83758e64e60bf2916dadbb2f1f31db462
Instruction ID: 8a0486762c77c3b463b330839c3a44260908aeaca6540bad24659868cfa8e74c
Opcode Fuzzy Hash: 9ea253864cb89facb0662e79ec9263f83758e64e60bf2916dadbb2f1f31db462
Instruction Fuzzy Hash: 9B215B722046206AD731AB28ED02FBB73FCAF51300F14443AFA4AD7081EB75ED45C295

Function 00A937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A93876

Strings

Listbox, xrefs: 00A9380F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction ID: dd5a93cb1cbb14b1ffd61714656b4781739701b1cb31cee2af987992adf4a54d
Opcode Fuzzy Hash: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction Fuzzy Hash: D4217C72710218BBEF21CF94DC85EBB37BAEF89764F118125F9059B190CA759C528BA0

Function 00A749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A74A5C
SetErrorMode.KERNEL32(00000000,?,?,00A9CC08), ref: 00A74AD0

Strings

%lu, xrefs: 00A74A6F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction ID: 0e1c3368cdd011cbe6bc4e85aaa4b943d4ac78d0fd99b0fc5fb5dc60358c1776
Opcode Fuzzy Hash: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction Fuzzy Hash: CA315175A00109AFDB10DF54C985EAA7BF8EF08318F1480A9F909DB252DB71ED46CB61

Function 00A941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A94271

Strings

msctls_trackbar32, xrefs: 00A94226

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction ID: 130f0d428032cd200bf0079079ddefeaee6e81916992833f79fa82cb686cdf3f
Opcode Fuzzy Hash: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction Fuzzy Hash: C611E332340208BEEF209F69CC06FEB3BECEF89B64F110524FA55E6090D671D8529B20

Function 00A62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Part of subcall function 00A62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
Part of subcall function 00A62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
Part of subcall function 00A62DA7: GetCurrentThreadId.KERNEL32 ref: 00A62DDD
Part of subcall function 00A62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

GetFocus.USER32 ref: 00A62F78

Part of subcall function 00A62DEE: GetParent.USER32(00000000), ref: 00A62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A62FC3
EnumChildWindows.USER32(?,00A6303B), ref: 00A62FEB

Strings

%s%d, xrefs: 00A62FFF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction ID: 1c92905ed93d921659e44adfa316d681e9fa1eeeab33e1723525e6311e2e87e3
Opcode Fuzzy Hash: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction Fuzzy Hash: DA11A2B6700209ABDF14BF70DD85FED377AAF94314F048075F9099B192DE309A4A8B60

Function 00A95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A958EE
DrawMenuBar.USER32(?), ref: 00A958FD

Strings

0, xrefs: 00A9588F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 692bd949e9392165b0f3a094c18603e0a27dd8b63e5efac5667b52e7d624d687
Instruction ID: ccaaa1db9dc0a86f5089388acde202d60577553597a15f5efaec2ef940d51f99
Opcode Fuzzy Hash: 692bd949e9392165b0f3a094c18603e0a27dd8b63e5efac5667b52e7d624d687
Instruction Fuzzy Hash: F4016D31A00218EFDF229F61DC45BAEBBF5FB45760F10809AE849D6151DB308A84DF21

Function 00A5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A5D3BF
FreeLibrary.KERNEL32 ref: 00A5D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00A5D3B9
X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction ID: 3e0bc4b28803f2c5a4e62c4305db1691dd366971bda1c3f12bc4add7b3399a46
Opcode Fuzzy Hash: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction Fuzzy Hash: 6AF0E571505B11ABD77597108C489EE7228BF10B23F60865AF817E90A9EB70C98DCA96

Function 00A6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction ID: e3892496e0f569dd0b6dc0aa060ca441b1b77012305eb2f02b29669e83064dcf
Opcode Fuzzy Hash: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction Fuzzy Hash: 7DC13975A00206AFDB14CFA8C894EAEB7B5FF48705F218598E505EB251D731ED81DB90

Function 00A33E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A33F0B
__alldvrm.LIBCMT ref: 00A3410C
__alldvrm.LIBCMT ref: 00A3412E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e4ba6f93ce5a0463b3f3cd73c573b03e9f2f1e66cbeff6967112049be19d41cc
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 7DA17B76E047869FEB15CF18C8917AEBBF4EF6A350F14426DF5859B281C238AD81C750

Function 00A8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A83459
CoUninitialize.OLE32 ref: 00A83463
VariantInit.OLEAUT32(?), ref: 00A8346E
VariantClear.OLEAUT32(?), ref: 00A8371B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 25c6724642342a827d8f99de94794a545ade0c927cc6d49766c4a9a5f340b81f
Instruction ID: f9d5b3b2e1ab812649d46dd2993dad83b3175ab8fc03f764c287b3c8ed89c98a
Opcode Fuzzy Hash: 25c6724642342a827d8f99de94794a545ade0c927cc6d49766c4a9a5f340b81f
Instruction Fuzzy Hash: 61A12A756046059FCB00EF28D985A6EB7E5FF88714F048859F98A9B3A2DB30FE41CB51

Function 00A60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A60608
CLSIDFromProgID.OLE32(?,?,00000000,00A9CC40,000000FF,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A6062D
_memcmp.LIBVCRUNTIME ref: 00A6064E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction ID: fdbdbfc71cd92c76ff6cc31a4e6030f2eaf5200566bba6b1f5e8d1205842d62b
Opcode Fuzzy Hash: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction Fuzzy Hash: CC81FC75A00109EFCB04DF98C984DEEB7B9FF89315F208558E516EB250DB71AE46CB60

Function 00A8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A8A6BA

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A8A79C
CloseHandle.KERNEL32(00000000), ref: 00A8A7AB

Part of subcall function 00A1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A43303,?), ref: 00A1CE8A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5a3bf059bf9458dc21b75e56d39160d6a3a0dde0890470a82707d658652ade40
Instruction ID: 10ded8debbe23b955548c8c944144f0a17a21e55bdefc93f5516a5e096a9d08e
Opcode Fuzzy Hash: 5a3bf059bf9458dc21b75e56d39160d6a3a0dde0890470a82707d658652ade40
Instruction Fuzzy Hash: FC516E71508304AFD710EF24D986E6BBBE8FF89754F00891DF58597292EB70D904CBA2

Function 00A41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A414C0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5b23cb9005090c83e3ae0c1885867e896ca01f2d5016b697edc12af4e81ddf1b
Instruction ID: b3dc3f48c987576ec0cf77331aeabc05e26814b51d638437ed281b6b41237326
Opcode Fuzzy Hash: 5b23cb9005090c83e3ae0c1885867e896ca01f2d5016b697edc12af4e81ddf1b
Instruction Fuzzy Hash: E0412A7DA00610ABDB216BFDAD45AFE3AB4EFC2370F244235F419D6192E77488C15762

Function 00A96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A962E2
ScreenToClient.USER32(?,?), ref: 00A96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A96382

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction ID: 70dfaea26173251af31a02e06d303e5b4f5766ae706635927f8b01352241a012
Opcode Fuzzy Hash: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction Fuzzy Hash: D0510974A00609AFDF10DF68D990AAE7BF5FF45360F10816AF9159B2A0D730ED81CB50

Function 00A81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A81AFD
WSAGetLastError.WSOCK32 ref: 00A81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A81B8A
WSAGetLastError.WSOCK32 ref: 00A81B94

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction ID: 66e92313d8244516832a3bbd82a85fc6ce0e5b3e85214ad6aeb01256e8bbd674
Opcode Fuzzy Hash: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction Fuzzy Hash: 7341A374600200AFE720AF24D98AF6977E5AB44718F54C458F91A9F3D2D772ED82CB91

Function 00A3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction ID: 56dc2a340804991cb1435386430d439ab64d6a75e7858538af876835d3b737a5
Opcode Fuzzy Hash: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction Fuzzy Hash: 63412B75A10314BFD7249F38CD42BAABBFAEB84710F10853EF252DB281D771994187A0

Function 00A756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A75783
GetLastError.KERNEL32(?,00000000), ref: 00A757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A757FA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction ID: a536b3671b694a8451a87abbbcdd1527a04bba71a9b952990ec6824adb5ea0d7
Opcode Fuzzy Hash: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction Fuzzy Hash: 12414F35A00A14DFCB11EF55D944A5EBBF1EF49720B19C888E84A5B3A2CB70FD41DB91

Function 00A3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A26D71,00000000,00000000,00A282D9,?,00A282D9,?,00000001,00A26D71,8BE85006,00000001,00A282D9,00A282D9), ref: 00A3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A3D9AB
__freea.LIBCMT ref: 00A3D9B4

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction ID: fc7082a5b94228e8965369d3712b9ffd3d0e933645fd8520a3f4cdb8e633796e
Opcode Fuzzy Hash: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction Fuzzy Hash: 2F31BC72A0021AEBDF25DFA4EC41EAE7BA5EB44310F154269FC04DB251EB35DD51CBA0

Function 00A952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A95352
GetWindowLongW.USER32(?,000000F0), ref: 00A95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A953A8

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction ID: e3eb6a4d2ca9f0860873e324a9ad0f3a28d338196ef315c7bd2515f17310425a
Opcode Fuzzy Hash: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction Fuzzy Hash: 0B31CF34F55A08EFEF269B74CC27BEA37E1AB05390F584102FA119E1E1C7B49981AB51

Function 00A6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A6AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A6ACC6

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction ID: 62b3a8d7908f202137ecc12ec63a8b297a74949c81760e7e99cee8cccb4bebb2
Opcode Fuzzy Hash: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction Fuzzy Hash: 33310730A407186FEF35CBA58C047FA7BB5ABA9320F04431AE485A21D1C375D9859B62

Function 00A97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A9769A
GetWindowRect.USER32(?,?), ref: 00A97710
PtInRect.USER32(?,?,00A98B89), ref: 00A97720
MessageBeep.USER32(00000000), ref: 00A9778C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction ID: aa02ba317f2afa804dc0ce849402296cf78eb24336563cf666c9eacb08587e2a
Opcode Fuzzy Hash: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction Fuzzy Hash: 35415A38B19214EFCF11CFE8C894EADB7F5BB49314F1541A9E9159B261C730A942CBA0

Function 00A916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A916EB

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

GetCaretPos.USER32(?), ref: 00A916FF
ClientToScreen.USER32(00000000,?), ref: 00A9174C
GetForegroundWindow.USER32 ref: 00A91752

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction ID: b532e3ae10db4b79e6ac1f5954bf4356c2da10468d60f0e269928786ce069e15
Opcode Fuzzy Hash: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction Fuzzy Hash: 6B315275E00249AFDB00EFA9D981CAEB7F9EF48314B5080AAE415E7251DB319E45CFA1

Function 00A6DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

_wcslen.LIBCMT ref: 00A6DFCB
_wcslen.LIBCMT ref: 00A6DFE2
_wcslen.LIBCMT ref: 00A6E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00A6E018

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 4d51d6a4f87f1d126e3aa1c8e5bc3c94b84134b49d3b9caa6e210f0114c8f386
Instruction ID: 7aa7aa68f512c11aa0f6aab1b7dae607395a1d254b29b50424d67711c20932e1
Opcode Fuzzy Hash: 4d51d6a4f87f1d126e3aa1c8e5bc3c94b84134b49d3b9caa6e210f0114c8f386
Instruction Fuzzy Hash: 8021E275D40224EFCB20DFA8DA81BAEB7F8EF45750F104065E815BB282D7B09E41CBA1

Function 00A98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetCursorPos.USER32(?), ref: 00A99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A57711,?,?,?,?,?), ref: 00A99016
GetCursorPos.USER32(?), ref: 00A9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A57711,?,?,?), ref: 00A99094

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction ID: 20aea0447ba11c8277fcae55f73d83dfb352a3388cc37959c0522ef772f00b79
Opcode Fuzzy Hash: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction Fuzzy Hash: 9E217C35700018BFCF25CF99C898EEB7BF9EB49360F04405AF9154B261C73299A1DB61

Function 00A6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A9CB68), ref: 00A6D2FB
GetLastError.KERNEL32 ref: 00A6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A9CB68), ref: 00A6D376

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction ID: 3c355c4f701615430c84a7ab6e0c834d24d924b7e4d9b138181ce6e82f1f2a6b
Opcode Fuzzy Hash: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction Fuzzy Hash: 9C219170A042019FC710EF64D9818AB77F4AE553A4F504A1DF499DB3E1EB30D946CB93

Function 00A61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
Part of subcall function 00A61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
Part of subcall function 00A61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
Part of subcall function 00A61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A615BE
_memcmp.LIBVCRUNTIME ref: 00A615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A61617
HeapFree.KERNEL32(00000000), ref: 00A6161E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction ID: 5b063b117d0ba403d629cc94f3d33bc172f8243844f2574b57cea977cdefa101
Opcode Fuzzy Hash: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction Fuzzy Hash: 7F217C75E00109EFDF10DFA8C945BEEBBB8EF44354F194459E441AB241EB70AA05CBA0

Function 00A92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A92840

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction ID: a61e797f736fbd29800a2e60e8ec58d47e1f029baae5308bc3fc4a15cdf40138
Opcode Fuzzy Hash: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction Fuzzy Hash: A021BD31304511BFDB14DB24CC44FAA7BA5AF85324F148259F42A8B6E2CB71FC82CBA0

Function 00A678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68D8C
Part of subcall function 00A68D7D: lstrcpyW.KERNEL32(00000000,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A68DB2
Part of subcall function 00A68D7D: lstrcmpiW.KERNEL32(00000000,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67923
lstrcpyW.KERNEL32(00000000,?,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67984

Strings

cdecl, xrefs: 00A6797B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d353b0670d3c49d87c248946857354c5f05909db4c9693041f0d46b7f9733d02
Instruction ID: ded635a6ca30a101a1a784ee240d98b6f22fe1eb600ef95c8d88e2a21a65e8ac
Opcode Fuzzy Hash: d353b0670d3c49d87c248946857354c5f05909db4c9693041f0d46b7f9733d02
Instruction Fuzzy Hash: 5711003A200242AFCB159F38C844E7A77F9FF85394B50802AF806CB2A4EF319801C7A1

Function 00A97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A7B7AD,00000000), ref: 00A97D6B

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction ID: c1f45890f2c7300521bf29f303e43146e691e7c5002edcaa4059b94f0a99286f
Opcode Fuzzy Hash: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction Fuzzy Hash: DA118C71629615AFCF10DFA8DC04AAA3BA5AF45360F154725F83AC72E0DB309D52CB60

Function 00A95660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A956BB
_wcslen.LIBCMT ref: 00A956CD
_wcslen.LIBCMT ref: 00A956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A95816

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 717837b78b7917a35b2c26fc86f816d45a01bfce8d97bc27fab4a3752ebab88c
Instruction ID: f9849cae54a6c2da4ff746e8c473e0dd67ec79a074e0887908ac195fc10d87df
Opcode Fuzzy Hash: 717837b78b7917a35b2c26fc86f816d45a01bfce8d97bc27fab4a3752ebab88c
Instruction Fuzzy Hash: 4F11B471F00614A6DF21DFB5DC86AEE77FCAF51760B108026FA15D6081EB748980CBA0

Function 00A31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422f839d58cf928504e5c119601f870ffc4af8993c7e7c20811dbf1e65bbcd2f
Instruction ID: 704e0c0c1b95bbc3082a5883ac81292c889c59924bde492f772cd57c1869fcb2
Opcode Fuzzy Hash: 422f839d58cf928504e5c119601f870ffc4af8993c7e7c20811dbf1e65bbcd2f
Instruction Fuzzy Hash: DD0181B2209A167EF6212BB87CC1F67676DDF867F8F340326F521A11D2DB609C015170

Function 00A61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A8A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction ID: 0838ec502c51af8115628b08a327a16e43c778add029afcf7191a5d863c3aab1
Opcode Fuzzy Hash: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction Fuzzy Hash: 9E11393AD01219FFEB11DBE4CD85FADBB78EB18750F240492EA04B7290D6716E50DB94

Function 00A6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A6E24D

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction ID: bad64b993f77ba0c665a92f7932e90dff94dc29d8516185a4c777fba1e08d44f
Opcode Fuzzy Hash: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction Fuzzy Hash: 2711C876A04254BBCB01DBF89C09ADE7FBDAB45320F144256F915D7291D6708A0587A0

Function 00A2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A2CFF9,00000000,00000004,00000000), ref: 00A2D218
GetLastError.KERNEL32 ref: 00A2D224
__dosmaperr.LIBCMT ref: 00A2D22B
ResumeThread.KERNEL32(00000000), ref: 00A2D249

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction ID: d516fa80b8a16416c6d950ec6e02992b4ac817a143e477a42a7a65731d95630d
Opcode Fuzzy Hash: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction Fuzzy Hash: 5F01C436505224BBDB115BA9EC09BEE7A69EF81730F100239F925961D1CF708901C7A0

Function 00A99EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetClientRect.USER32(?,?), ref: 00A99F31
GetCursorPos.USER32(?), ref: 00A99F3B
ScreenToClient.USER32(?,?), ref: 00A99F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A99F7A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction ID: bb887d0305ca1a4610ff749f6a2a801d5ae562f3a2e04cd9e9b0e6ee01c40eb3
Opcode Fuzzy Hash: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction Fuzzy Hash: D0111532A0051ABBDF10DFA8D9899EFB7B9FB45311F40045AF912E7150D730BA82CBA1

Function 00A0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
GetStockObject.GDI32(00000011), ref: 00A06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction ID: c5f4279b20ae61f99206132607e56f8a80bd990dfca8606b35ab37651e7c6e33
Opcode Fuzzy Hash: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction Fuzzy Hash: B611A17250150CBFEF128FD4DC44EEA7B69EF08369F044202FA0452050DB329C60DBA0

Function 00A23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A23B56

Part of subcall function 00A23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A23AD2
Part of subcall function 00A23AA3: ___AdjustPointer.LIBCMT ref: 00A23AED

_UnwindNestedFrames.LIBCMT ref: 00A23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A23BA4

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8004581a8a9123efcf5f816695b88dba15a0dd6c0c554cb52267a06c14b5db80
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D4012933100158BBDF126F9AED42EEB3F6AEF49754F044024FE4856121C736E961DBA0

Function 00A33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A013C6,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue), ref: 00A330A5
GetLastError.KERNEL32(?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000,00000364,?,00A32E46), ref: 00A330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000), ref: 00A330BF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction ID: 0714ef217ff92d95fd1d19af37316fa52c361908b8511d39bd83cf447ce1d3ed
Opcode Fuzzy Hash: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction Fuzzy Hash: 1D01AC33749732ABCF358BB9AC44A5777989F46771F210621F946D7150DB21DD02C6E0

Function 00A67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A674CA

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction ID: 90c771b78e7ce0899cde014d71f0f44e07800f7a6eb94408b58b6216158c01e4
Opcode Fuzzy Hash: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction Fuzzy Hash: C811ADB5315710ABE720CF58DD0CB9A7BFCEB40B18F50856AA616D6191DFB0E904DBA0

Function 00A6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B126

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction ID: 0fcfb8a4cc998fc8076b8e1f7e8717cff5ae32edb75e2586e34758037ad78b86
Opcode Fuzzy Hash: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction Fuzzy Hash: 42115E31D1192CE7CF00DFE4E9586EEBF78FF0A711F114286D941B2145CB3095918B65

Function 00A97E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A97E33
ScreenToClient.USER32(?,?), ref: 00A97E4B
ScreenToClient.USER32(?,?), ref: 00A97E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A97E8A

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction ID: 0b2d943428e43dd30e7579cb9bf1e45f71ca076d47c2f88ee15a50dbdf42b462
Opcode Fuzzy Hash: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction Fuzzy Hash: 771113B9E0064AAFDB41DF98C9849EEBBF5FB08310F505056E915E2210D735AA55CF50

Function 00A62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
GetCurrentThreadId.KERNEL32 ref: 00A62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction ID: d94925ae98c8d83358e8d5adf6638b604c7ccdc006ac0e40c0cc92d42c0acfe8
Opcode Fuzzy Hash: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction Fuzzy Hash: 8AE06D71201A24BADB205BA29C0DFEB7E7CEB42BB1F401516B205D10909AA18942C7B0

Function 00A98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A98887
LineTo.GDI32(?,?,?), ref: 00A98894
EndPath.GDI32(?), ref: 00A988A4
StrokePath.GDI32(?), ref: 00A988B2

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction ID: 4a12b9ed25d50a4cc5ca1cc45ed1cb64edc5094f3b32dd897e75ae30934ee5d0
Opcode Fuzzy Hash: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction Fuzzy Hash: B1F05E36242658FADB12AFD4AC09FCE3F59AF06320F448102FA22650E1CB795552CFF9

Function 00A198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction ID: 336d1b6b52ae8ee8871438488a279aec7ab6e39e8be4cca7ed37e5830c49f7fe
Opcode Fuzzy Hash: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction Fuzzy Hash: 62E06D31344A80ABDB219BB4BC09BED3F20AB12336F14831AFAFA580E1CB714645DB10

Function 00A6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A611D9), ref: 00A61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6164F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction ID: f453d45511f0c8f242a4706b57a3a5b35dff982aa5d4f7edd42acad5e2e6327f
Opcode Fuzzy Hash: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction Fuzzy Hash: D0E08639701211EBDB205FE09E0DB873F7CAF447A5F188809F345C9080DE344542C760

Function 00A5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D858
GetDC.USER32(00000000), ref: 00A5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction ID: 00058388e89d7c65f40bedddc94778b8f70bfe0eb390d37e7b2c53c2a31cc2fc
Opcode Fuzzy Hash: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction Fuzzy Hash: 23E01AB5900605DFCF41DFE0D90866DBBB1FB08321F14900AE906E7250CF399942AF50

Function 00A5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D86C
GetDC.USER32(00000000), ref: 00A5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction ID: d40fef7d361b3529daaf0ad96b7e0d9fb2f5cc6aaca4b6da5d8ef6500cf65010
Opcode Fuzzy Hash: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction Fuzzy Hash: 92E092B5A00605EFCF51EFE0D90866DBBB5BB08321F14944AEA4AE7250CF399942AF50

Function 00A74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A74ED4

Strings

LPT, xrefs: 00A74DFB
*, xrefs: 00A74E10

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f097899b1b8ab03e150a9a9407526a50de54b0731bdb9ee02e3f4da09551f779
Instruction ID: ef5dd510de09d9257f930336a2aa8c8056de670c53ed8c799a3611e432d53d83
Opcode Fuzzy Hash: f097899b1b8ab03e150a9a9407526a50de54b0731bdb9ee02e3f4da09551f779
Instruction Fuzzy Hash: 94917175A002049FCB14DF58C984EAABBF5BF48714F19C099E80A9F3A2D735ED85CB91

Function 00A2E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A2E30D

Strings

pow, xrefs: 00A2E2E5, 00A2E302

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction ID: d33295125624fcdd27119aa13e877883a3bc95a1f52810c47212f7505e96e20c
Opcode Fuzzy Hash: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction Fuzzy Hash: F5513DB1A0C20296CB35F71CEA417BD3BA4AF40781F344978F496462E9DB358CD59B86

Function 00A1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A1E1B1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a31a85eff4211af3702de4ddda38b05690f02a0e2e148598474519ee15445653
Instruction ID: e3092182d3e78e4c313c10ce93ed8f647562bd9f3e8b5f4b482622bb681db9dd
Opcode Fuzzy Hash: a31a85eff4211af3702de4ddda38b05690f02a0e2e148598474519ee15445653
Instruction Fuzzy Hash: C8513271A00256DFDF19DF68D091AFA7BA9FF29311F244059FC919B2C0D6309E86CBA0

Function 00A1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A1F2BB

Strings

@, xrefs: 00A1F2AF

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction ID: 26807b64d2219ab06e36f5f3728af13ad3466ce93afc334501c5622e396cdca6
Opcode Fuzzy Hash: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction Fuzzy Hash: EC5155718087499BD320EF50E986BAFBBF8FB84310F81894DF199411A5EB309529CB67

Function 00A85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A857E0
_wcslen.LIBCMT ref: 00A857EC

Strings

CALLARGARRAY, xrefs: 00A857E6, 00A857EB

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6c0f9459a55fb91dfef3e4acf4ee66c44f425db22f34ff3b9012ba78266d7ad0
Instruction ID: 0b33954887aeb35f64a227650a85cbdffd8dfd0cc1dde1f77adff6bba2103099
Opcode Fuzzy Hash: 6c0f9459a55fb91dfef3e4acf4ee66c44f425db22f34ff3b9012ba78266d7ad0
Instruction Fuzzy Hash: 29419171E006099FCB14EFB9C9819EEBBF5FF59324F10406AE905A7291EB709D81DB90

Function 00A7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A7D13A

Strings

|, xrefs: 00A7D10B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction ID: 12dc46bab57ad61784c3c6d67ee5dcc54c3c0784e829cbe282ae3cd1283c433c
Opcode Fuzzy Hash: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction Fuzzy Hash: 41313E71D00219ABCF15EFA4DD85AEE7FB9FF04304F404119F819A61A2E731AA56CB60

Function 00A9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A9365C

Strings

static, xrefs: 00A935BC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d3fdf7c085f9d58987702a85c4cac6d4d984d0deae59f2c6f64f8ae9ec951243
Instruction ID: 96e33243aec671736260ef21c1838102a60d82f92288871578335fcb330dfe75
Opcode Fuzzy Hash: d3fdf7c085f9d58987702a85c4cac6d4d984d0deae59f2c6f64f8ae9ec951243
Instruction Fuzzy Hash: 65317872200604AEDF10DF68D880ABB73F9FF88724F10961AF9A5D7280DA31A991D760

Function 00A94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A94634

Strings

', xrefs: 00A9458E

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction ID: 269388906a6dedbcd9c95cc0bfd3702ffafd4eb116cca13f3626ba5f826cfa6a
Opcode Fuzzy Hash: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction Fuzzy Hash: 933117B4B012099FDF14CFA9C990BDA7BF5FB09300F11416AE905AB341E770A942CF90

Function 00A931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A93287

Strings

Combobox, xrefs: 00A93249

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction ID: 11c632a20383bf9c9d4b01bb3de57714fb1e4906af9c0af2b131c3ad2aae1aee
Opcode Fuzzy Hash: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction Fuzzy Hash: 6E11B2723002087FFF25DF94DC84EFB37AAEBA4364F104529FA1997290D6759D518760

Function 00A6EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6EF1D

Strings

pN, xrefs: 00A6EF1B
HANDLE, xrefs: 00A6EF16

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$pN
API String ID: 176396367-1533496080
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: b804e314916d83b6bdd3d5246d0d6847938e68edf443aff10af7334930cf6e23
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 9311E279520114DBE728DF58D889BADB3B9EF91766F70446EE441CE0C4EBB09E818714

Function 00A93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

GetWindowRect.USER32(00000000,?), ref: 00A9377A
GetSysColor.USER32(00000012), ref: 00A93794

Strings

static, xrefs: 00A93757

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction ID: 84fd2f1f3e58e4b4d46d79d237f8f9e89d4af875594c2dc666693165b21bf15a
Opcode Fuzzy Hash: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction Fuzzy Hash: 1C1126B2610209AFDF00DFA8CD46AEA7BF8FB08314F004915F956E2250EB35E8619B60

Function 00A7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A7CDA6

Strings

<local>, xrefs: 00A7CD66

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction ID: 71b0468a880698e8d54a4d3d45984c1a02041f194db0d2a94abb5086abc31c92
Opcode Fuzzy Hash: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction Fuzzy Hash: 3811A071205631BAD7384BA68C49EE7BEACEB127B4F00C22EB10D82181D6649941D6F0

Function 00A93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A934BA

Strings

edit, xrefs: 00A9348F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction ID: bf4a69558cf6e653c9994751061732d187c06cbf149c6ebc4f8e0e86cdeeb3c3
Opcode Fuzzy Hash: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction Fuzzy Hash: 10116D72200108AAEF118F64DC44AAA37FAEB85779F514724F965931D0C775EC519760

Function 00A66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A66CB6
_wcslen.LIBCMT ref: 00A66CC2

Strings

STOP, xrefs: 00A66CBC, 00A66CC1

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction ID: 0483fe8beeea1c490312d422be816918011758a0765de8fa254b286b9757ef5f
Opcode Fuzzy Hash: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction Fuzzy Hash: DB01D232A0092ACBCB20AFFDDD809BF77B5EF65714B100538E862971D1EB31D940C650

Function 00A61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A61D4C

Strings

ComboBox, xrefs: 00A61CEB
ListBox, xrefs: 00A61D16

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction ID: 8e97d3ff186cf048b9a5b82b0da644b35bab70cef61432584fcb7577cda5287a
Opcode Fuzzy Hash: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction Fuzzy Hash: 5901B571A01218ABCF04EBA4DD51DFF7BB8FB56350F040919F822573C2EA30590D8660

Function 00A61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A61C46

Strings

ComboBox, xrefs: 00A61BE5
ListBox, xrefs: 00A61C10

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction ID: 96226f7fbc310f41266a0850a1c11d24c6549d7863831fb2a139ab1d3b126bd0
Opcode Fuzzy Hash: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction Fuzzy Hash: 3401A775B811086ADF04EBA0DA52EFF7BB89B11340F140019B506672C2EA249E1C96B1

Function 00A61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A61CC8

Strings

ComboBox, xrefs: 00A61C69
ListBox, xrefs: 00A61C94

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction ID: 8479dc9130bec1a25188bfed30bfdd4c03b488b0160afea70ab57714eb6d1e6c
Opcode Fuzzy Hash: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction Fuzzy Hash: 5001A7B1A4011866DB04E7A0DB01EFF7BB89B11340F140415B801732C2EA209F19D671

Function 00A61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A61DD3

Strings

ComboBox, xrefs: 00A61D75
ListBox, xrefs: 00A61DA0

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction ID: 18ce55277a2d09eae34cea6aa43c87883eda6bebbd93d858ba585232b96d280a
Opcode Fuzzy Hash: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction Fuzzy Hash: 89F0A471F41218AADB04E7A4DE52FFF7BB8AB01350F080D19B922632C2EA60690D8261

Function 00A8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A87493
_wcslen.LIBCMT ref: 00A874B9

Strings

3, 3, 16, 1, xrefs: 00A87483

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction ID: 9de4e2a349c86fd234508ce4d8daffe07d0b342fe07db665cc48fa9670e3e31d
Opcode Fuzzy Hash: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction Fuzzy Hash: 01E02B02204230209331337DADC1A7F5689DFC9750734183BF995C2266EAD4CDD193A0

Function 00A60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A60B23

Strings

AutoIt, xrefs: 00A60B17
Error allocating memory., xrefs: 00A60B1C

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e060b91d017128871b24be7f9c19ccad7dc8f81fa4da2f2d300b56575d10f1ec
Instruction ID: 6c033f17a417524e8942489964cc6f67b5c0b44c7938aea57754ddfb243ddfe6
Opcode Fuzzy Hash: e060b91d017128871b24be7f9c19ccad7dc8f81fa4da2f2d300b56575d10f1ec
Instruction Fuzzy Hash: 59E0DF323887183AD61037947D03FCA7AC49F09B64F10082AFB88994C38EE224E006A9

Function 00A20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A20D71,?,?,?,00A0100A), ref: 00A1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A0100A), ref: 00A20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A0100A), ref: 00A20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A20D7F

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction ID: 67f0bf4e16775ebfc0e97c3fb8f8cad2ff48c7b11f48e0443f2adc59cd76bc39
Opcode Fuzzy Hash: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction Fuzzy Hash: E1E06D743017518FD760EFBCE504B827BE0AB00740F00493EE482C6652EBB0E4458B91

Function 00A73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A7302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A73044

Strings

aut, xrefs: 00A73038

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction ID: 13400c0573b0a0ffcbd287b31fccd0de9e3735fe772184fe63c3982df145f9e0
Opcode Fuzzy Hash: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction Fuzzy Hash: 24D05B7150031477DA20E7D89C0DFC73A6CD704760F0005527655D2091DEB09545CAD0

Function 00A5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A5D220

Strings

X64, xrefs: 00A5D2A8
%.3d, xrefs: 00A5D22B

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction ID: 63d8794a266382741623f6c7ec0710268c3749f257e3f5c28f0c7827c811e36e
Opcode Fuzzy Hash: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction Fuzzy Hash: E8D012B580C148FDCB6097D0CC459FDB37CBB08302F508456FC0691040D634D54CAB61

Function 00A92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A9233F

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Strings

Shell_TrayWnd, xrefs: 00A92325

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c1a3f66732c8d689999ee4330b07126d5c11d25b58880e99b14a331bd0a1788e
Instruction ID: 6fa356245a506a0c9efa57c9b2ea420452a38b2b403dbf3bfc0417d06483f1b6
Opcode Fuzzy Hash: c1a3f66732c8d689999ee4330b07126d5c11d25b58880e99b14a331bd0a1788e
Instruction Fuzzy Hash: 27D0C936394710B6E664E7B09C0FFC6AA24AF00B20F0149167745AA1D4C9A4A8028A54

Function 00A92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9236C
PostMessageW.USER32(00000000), ref: 00A92373

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Strings

Shell_TrayWnd, xrefs: 00A92365

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f351dbe3bee7ccc8d5313af0c2245f7af543e51a122f081eba60467e8b8f2188
Instruction ID: 07a6fd3226b25ef7cc9a96b1952f615934bf535ff9f7e873619368cf4ac51f5c
Opcode Fuzzy Hash: f351dbe3bee7ccc8d5313af0c2245f7af543e51a122f081eba60467e8b8f2188
Instruction Fuzzy Hash: 98D0C9363C17107AE664E7B09C0FFC6A624AB04B20F0149167745AA1D4C9A4A8028A54

Function 00A3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A3BE93
GetLastError.KERNEL32 ref: 00A3BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3BEFC

Memory Dump Source

Source File: 00000000.00000002.1772524280.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1772457563.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772696942.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772768321.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1772806875.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction ID: 6f7f2c627aea8653ff983b9fd4818989a63c0e088727f41d39dfaf026117f52a
Opcode Fuzzy Hash: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction Fuzzy Hash: 3241D734615216AFCF21CFA8DD54ABABBB6AF41320F245169FA599B1A1DB30CD01CB70

Analysis Process: firefox.exePID: 7772, Parent PID: 6492COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F0254832B7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F0254832DC

Memory Dump Source

Source File: 00000010.00000002.2960021763.000001F025480000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F025480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1f025480000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: f27927131ef3beeb809698fd371cf1ade8fb4cd8a35bf0547ad77d018ed64f0a
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 8AA3D631614A498BDB2EDF28DC897F9B7D5FB99304F04423ED94BC3252DE31E9428A85

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1924970481.000002AF96D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870375892.000002AF97558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1870375892.000002AF97564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1922859622.000002AF983B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954944208.000002AF983BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1916380565.000002AF9F6D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1982411742.000002AF96E8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922859622.000002AF983B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954944208.000002AF983BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1948329267.000002AF9DC96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1948329267.000002AF9DC96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1916380565.000002AF9F6D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797226467.000002AF9DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927039273.000002AF9D9A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2955374972.000001F024E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2956815918.000001D69DE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2955374972.000001F024E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2956815918.000001D69DE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2955374972.000001F024E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2956815918.000001D69DE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2001584039.000002AF9DF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870375892.000002AF97564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1977629927.000002AF980C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982411742.000002AF96E8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922859622.000002AF983B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1977629927.000002AF980C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917871455.000002AF9DDE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947605361.000002AF9DDE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2001191247.000002AF9F53E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1982411742.000002AF96E79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49839 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_68bacf7a-01a0-48e3-9367-9826fefa565f.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_68bacf7a-01a0-48e3-9367-9826fefa565f.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre